15 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3, 214, and 216, Pub. L. 108-159, 117 Stat. 1952.
(a)
(b)
(2)
(ii) For purposes of appendix B to this part, financial institutions as defined in section 509 of the Gramm-Leach-Bliley Act (12 U.S.C. 6809), may use the model notices in appendix B to this part to comply with the notice requirement in section 623(a)(7) of the Fair Credit Reporting Act (15 U.S.C. 1681s-2(a)(7)).
(c)
(1)
(ii) Each of the provisions of the FACT Act that authorizes an agency to issue a regulation or to take other action to implement the applicable provision of the FACT Act or the applicable provision of the Fair Credit Reporting Act, as amended by the FACT Act, but only with respect to that agency's authority to propose and adopt the implementing regulation or to take such other action.
(2)
(ii) Section 156, concerning the statute of limitations;
(iii) Sections 312(d), (e), and (f), concerning the furnisher liability exception, liability and enforcement, and rule of construction, respectively;
(iv) Section 313(a), concerning action regarding complaints;
(v) Section 611, concerning communications for certain employee investigations; and
(vi) Section 811, concerning clerical amendments.
(3)
(ii) Section 114, concerning procedures for the identification of possible instances of identity theft;
(iii) Section 115, concerning truncation of the social security number in a consumer report;
(iv) Section 151(a)(1), concerning the summary of rights of identity theft victims;
(v) Section 152, concerning blocking of information resulting from identity theft;
(vi) Section 153, concerning the coordination of identity theft complaint investigations;
(vii) Section 154, concerning the prevention of repollution of consumer reports;
(viii) Section 155, concerning notice by debt collectors with respect to fraudulent information;
(ix) Section 211(c), concerning a summary of rights of consumers;
(x) Section 212(a)-(d), concerning the disclosure of credit scores;
(xi) Section 213(c), concerning enhanced disclosure of the means available to opt out of prescreened lists;
(xii) Section 217(a), concerning the duty to provide notice to a consumer;
(xiii) Section 311(a), concerning the risk-based pricing notice;
(xiv) Section 312(a)-(c), concerning procedures to enhance the accuracy and integrity of information furnished to consumer reporting agencies;
(xv) Section 314, concerning improved disclosure of the results of reinvestigation;
(xvi) Section 315, concerning reconciling addresses;
(xvii) Section 316, concerning notice of dispute through reseller; and
(xviii) Section 317, concerning the duty to conduct a reasonable reinvestigation.
The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part.
For purposes of this part, unless explicitly stated otherwise:
(a)
(b)
(c) [Reserved]
(d)
(e)
(f)-(h) [Reserved]
(i)
(1) One company has, with respect to the other company:
(i) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one or more other persons;
(ii) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of a company; or
(iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as the Board determines; or
(2) Any other person has, with respect to both companies, a relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of this section.
(j) [Reserved]
(k)
(1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to:
(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a consumer's residence address or e-mail address;
(iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy; or
(iv) Information that does not identify a specific consumer.
(l)
(a)
(b)
(1)
(2)
(ii)
(3)
(4)
(A) A financial contract between the person and the consumer which is in force on the date on which the consumer is sent a solicitation covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the person's goods or services, or a financial transaction (including holding an active account or a policy in force or having another continuing relationship) between the consumer and the person, during the 18-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product or service offered by that person during the three-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart.
(ii)
(B) If a consumer obtained a certificate of deposit from a depository institution, but did not renew the certificate at maturity, the depository institution has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date of maturity of the certificate of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a pre-existing business relationship with the consumer. If the mortgage lender sells the consumer's entire loan to an investor, the mortgage lender has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date it sells the loan, and the investor has a pre-existing
(D) If a consumer applies to a depository institution for a product or service that it offers, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the application.
(E) If a consumer makes a telephone inquiry to a depository institution about its products or services and provides contact information to the institution, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by e-mail about its products or services, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.
(G) If a consumer has an existing relationship with a depository institution that is part of a group of affiliated companies, makes a telephone call to the centralized call center for the group of affiliated companies to inquire about products or services offered by the insurance affiliate, and provides contact information to the call center, the call constitutes an inquiry to the insurance affiliate that offers those products or services. The insurance affiliate has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from its affiliated depository institution to make solicitations to the consumer about its products or services for three months after the date of the inquiry.
(iii)
(B) If a consumer who has a deposit account with a depository institution makes a telephone call to an affiliate of the institution to ask about the affiliate's retail locations and hours, but does not make an inquiry about the affiliate's products or services, the call does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate. Also, the affiliate's capture of the consumer's telephone number does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository institution in response to an advertisement that offers a free promotional item to consumers who call a toll-free number, but the advertisement does not indicate that the depository institution's products or services will be marketed to consumers who call in response, the call does not create a pre-existing business relationship between the consumer and the depository institution because the consumer has not made an inquiry about a product or service offered by the institution, but has merely responded to an offer for a free promotional item.
(5)
(A) Based on eligibility information communicated to that person by its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such product or service.
(ii)
(iii)
(6)
(a)
(i) It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer;
(ii) The consumer is provided a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and
(iii) The consumer has not opted out.
(2)
(3)
(i) By an affiliate that has or has previously had a pre-existing business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an affiliated group of companies, provided that at least one of the affiliates on the joint notice has or has previously had a pre-existing business relationship with the consumer.
(b)
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the following:
(A) Identify the consumer or type of consumer to receive a solicitation;
(B) Establish criteria used to select the consumer to receive a solicitation; or
(C) Decide which of your products or services to market to the consumer or tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the consumer is provided a solicitation.
(2)
(3)
(4)
(i) Uses its own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer, and you do not communicate directly with the service provider regarding that use.
(5)
(A) Your affiliate controls access to and use of its eligibility information by the service provider (including the right to establish the specific terms and conditions under which the service provider may use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions under which the service provider may access and use the affiliate's eligibility information to market your products and services (or those of affiliates generally) to the consumer, such as the identity of the affiliated companies whose products or services may be marketed to the consumer by the service provider, the types of products or services of affiliated companies that may be marketed, and the number of times the consumer may receive marketing materials, and periodically evaluates the service provider's compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement reasonable policies and procedures designed to ensure that the service provider uses the affiliate's eligibility information in accordance with the terms and conditions established by the affiliate relating to the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing materials provided to the consumer; and
(E) You do not directly use your affiliate's eligibility information in the manner described in paragraph (b)(1)(ii) of this section.
(ii)
(B) The specific terms and conditions established by your affiliate as provided in paragraph (b)(5)(i)(B) of this section must be set forth in writing.
(6)
(ii) The same facts as in the example in paragraph (b)(6)(i) of this section, except that after using the eligibility information to identify the consumer to receive a solicitation about insurance products, the insurance company asks the depository institution to send the solicitation to the consumer and the depository institution does so. Pursuant to paragraph (b)(1) of this section, the insurance company has made a solicitation to the consumer because it used eligibility information about the consumer that it received from an affiliate to identify the consumer to receive a solicitation about its products or services, and, as a result, a solicitation was provided to the consumer about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of this section, except that eligibility information about consumers that have deposit accounts with the depository institution is placed into a common database that all members of the affiliated group of companies may independently access and use. Without using the depository institution's eligibility information, the insurance company develops selection criteria and provides those criteria, marketing materials, and related instructions to the depository institution. The depository institution reviews eligibility information about its own consumers using the selection criteria provided by the insurance company to determine which consumers should receive the insurance company's marketing materials and sends marketing materials about the insurance company's products to those consumers. Even though the insurance company has received eligibility information through the common database as provided in paragraph (b)(2) of this section, it did not use that information to identify consumers or establish selection criteria; instead, the depository institution used its own eligibility information. Therefore, pursuant to paragraph (b)(4)(i) of this section, the insurance company has not made a solicitation to the consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of this section, except that the depository institution provides the insurance company's criteria to the depository institution's service provider and directs the service provider to use the depository institution's eligibility information to identify depository institution consumers who meet the criteria and to send the insurance company's marketing materials to those consumers. The insurance company does not communicate directly with the service provider regarding the use of the depository institution's information to market its products to the depository institution's consumers. Pursuant to paragraph (b)(4)(ii) of this section, the insurance company has not made a solicitation to the consumer.
(v) An affiliated group of companies includes a depository institution, an insurance company, and a service provider. Each affiliate in the group places information about its consumers into a common database. The service provider has access to all information in the common database. The depository institution controls access to and use of its eligibility information by the service provider. This control is set forth in a written agreement between the depository institution and the service provider. The written agreement also requires the service provider to establish reasonable policies and procedures designed to ensure that the service provider uses the depository institution's eligibility information in accordance with specific terms and conditions established by the depository institution
(vi) The same facts as in the example in paragraph (b)(6)(v) of this section, except that the terms and conditions permit the service provider to use the depository institution's eligibility information to market the products and services of other affiliates to the depository institution's consumers whenever the service provider deems it appropriate to do so. The service provider uses the depository institution's eligibility information in accordance with the discretion afforded to it by the terms and conditions. Because the terms and conditions are not specific, the requirements of paragraph (b)(5) of this section have not been satisfied.
(c)
(1) To make a solicitation for marketing purposes to a consumer with whom you have a pre-existing business relationship;
(2) To facilitate communications to an individual for whose benefit you provide employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship or status of the individual as a participant or beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this subparagraph shall not be construed as permitting you to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation as a result of the election of the consumer to opt out under this subpart;
(4) In response to a communication about your products or services initiated by the consumer;
(5) In response to an authorization or request by the consumer to receive solicitations; or
(6) If your compliance with this subpart would prevent you from complying with any provision of State insurance laws pertaining to unfair discrimination in any State in which you are lawfully doing business.
(d)
(2)
(ii) The same facts as in paragraph (d)(2)(i) of this section, except the consumer has been given an opt-out notice, but has not elected to opt out. The depository institution asks a service provider to send the solicitation to the consumer on its behalf. The service provider may send the solicitation on behalf of the depository institution because, as a result of the consumer's not opting out, the depository institution is permitted to make the solicitation.
(3)
(ii) A consumer who has a deposit account with a depository institution contacts the institution to request information about how to save and invest for a child's college education without specifying the type of product in which the consumer may be interested. Information about a range of different products or services offered by the depository institution and one or more affiliates of the institution may be responsive to that communication. Such products or services may include the following: Mutual funds offered by the institution's mutual fund affiliate; section 529 plans offered by the institution, its mutual fund affiliate, or another securities affiliate; or trust services offered by a different financial institution in the affiliated group. Any affiliate offering investment products or services that would be responsive to the consumer's request for information about saving and investing for a child's college education may use eligibility information to make solicitations to the consumer in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer without using eligibility information received from an affiliate. The issuer leaves a voice-mail message that invites the consumer to call a toll-free number to apply for the issuer's credit card. If the consumer calls the toll-free number to inquire about the credit card, the call is a consumer-initiated communication about a product or service and the credit card issuer may
(iv) A consumer calls a depository institution to ask about retail locations and hours, but does not request information about products or services. The institution may not use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services because the consumer-initiated communication does not relate to the depository institution's products or services. Thus, the use of eligibility information received from an affiliate would not be responsive to the communication and the exception does not apply.
(v) A consumer calls a depository institution to ask about retail locations and hours. The customer service representative asks the consumer if there is a particular product or service about which the consumer is seeking information. The consumer responds that the consumer wants to stop in and find out about certificates of deposit. The customer service representative offers to provide that information by telephone and mail additional information and application materials to the consumer. The consumer agrees and provides or confirms contact information for receipt of the materials to be mailed. The depository institution may use eligibility information it receives from an affiliate to make solicitations to the consumer about certificates of deposit because such solicitations would respond to the consumer-initiated communication about products or services.
(4)
(ii) A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a blank check box that the consumer may check to authorize or request information from the credit card issuer's affiliates. The consumer checks the box. The consumer has authorized or requested solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a pre-selected check box indicating that the consumer authorizes or requests information from the issuer's affiliates. The consumer does not deselect the check box. The consumer has not authorized or requested solicitations from the card issuer's affiliates.
(iv) The terms and conditions of a credit card account agreement contain preprinted boilerplate language stating that by applying to open an account the consumer authorizes or requests to receive solicitations from the credit card issuer's affiliates. The consumer has not authorized or requested solicitations from the card issuer's affiliates.
(e)
(a)
(2)
(A) A single continuing relationship or multiple continuing relationships that the consumer establishes with you or your affiliates, including continuing relationships established subsequent to delivery of the opt-out notice, so long
(B) Any other transaction between the consumer and you or your affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a continuing relationship with you or your affiliate if the consumer—
(A) Opens a deposit or investment account with you or your affiliate;
(B) Obtains a loan for which you or your affiliate owns the servicing rights;
(C) Purchases an insurance product from you or your affiliate;
(D) Holds an investment product through you or your affiliate, such as when you act or your affiliate acts as a custodian for securities or for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your affiliate whereby you or your affiliate undertakes to arrange or broker a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your affiliate; or
(G) Obtains financial, investment, or economic advisory services from you or your affiliate for a fee.
(3)
(ii)
(A) The consumer uses your or your affiliate's ATM to withdraw cash from an account at another financial institution; or
(B) You or your affiliate sells the consumer a cashier's check or money order, airline tickets, travel insurance, or traveler's checks in isolated transactions.
(4)
(5)
(ii)
(b)
(c)
(a)
(i) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as “ABC,” then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by “all of the ABC and XYZ companies” or by “the ABC banking and credit card companies and the XYZ insurance companies”;
(ii) A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as “ABC,” then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to “all of the ABC and XYZ companies” or to “the ABC banking and credit card companies and the XYZ insurance companies”;
(iii) A general description of the types of eligibility information that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified period of time stated in the notice and, if applicable, that the consumer will be allowed to renew the election once that period expires;
(vi) If the notice is provided to consumers who may have previously opted out, such as if a notice is provided to consumers annually, that the consumer who has chosen to limit solicitations does not need to act again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2)
(ii) The opt-out notice must explain how an opt-out direction by a joint consumer will be treated. An opt-out direction by a joint consumer may be treated as applying to all of the associated joint consumers, or each joint consumer may be permitted to opt out separately. If each joint consumer is permitted to opt out separately, one of the joint consumers must be permitted
(iii) It is impermissible to require
(3)
(4)
(b)
(c)
(a)
(b)
(1)
(2)
(ii) The opt-out notice is provided to the consumer by e-mail where the consumer has agreed to receive disclosures by e-mail from the person sending the notice. The consumer is given 30 days after the e-mail is sent to elect to opt out by any reasonable means.
(3)
(4)
(5)
(a)
(b)
(i) Designating a check-off box in a prominent position on the opt-out form;
(ii) Including a reply form and a self-addressed envelope together with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that can be electronically mailed or processed at an Internet Web site, if the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights described in a consolidated opt-out notice that includes the privacy opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
(2)
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in electronic form only, such as through posting at an Internet Web site, to opt out solely by paper mail or by visiting a different Web site without providing a link to that site.
(c)
(a)
(b)
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or
(4) Posts the notice on the Internet Web site at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice.
(c)
(1) Only posts the notice on a sign in a branch or office or generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or
(3) Posts the notice on an Internet Web site without requiring the consumer to acknowledge receipt of the notice.
(a)
(i) The consumer has been given a renewal notice that complies with the requirements of this section and §§ 222.24 through 222.26 of this part, and a reasonable opportunity and a reasonable and simple method to renew the opt-out, and the consumer does not renew the opt-out; or
(ii) An exception in § 222.21(c) of this part applies.
(2)
(3)
(i) By the affiliate that provided the previous opt-out notice, or its successor; or
(ii) As part of a joint renewal notice from two or more members of an affiliated group of companies, or their successors, that jointly provided the previous opt-out notice.
(b)
(1) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as “ABC,” then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by “all of the ABC and XYZ companies” or by “the ABC banking and credit card companies and the XYZ insurance companies”;
(2) A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as “ABC,” then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to “all of the ABC and XYZ companies” or to “the ABC banking and credit card companies and the XYZ insurance companies”;
(3) A general description of the types of eligibility information that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous election;
(7) If applicable, that the consumer's election to renew will apply for the specified period of time stated in the notice and that the consumer will be allowed to renew the election once that period expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c)
(i) A reasonable period of time before the expiration of the opt-out period; or
(ii) Any time after the expiration of the opt-out period but before solicitations that would have been prohibited by the expired opt-out are made to the consumer.
(2)
(d)
(a)
(b)
(c)
(a)
(1) Any of the following that participates as a creditor in a transaction—
(i) A bank that is a member of the Federal Reserve System (other than national banks) and its subsidiaries;
(ii) A branch or Agency of a foreign bank (other than Federal branches, Federal Agencies, and insured State branches of foreign banks) and its subsidiaries;
(iii) A commercial lending company owned or controlled by foreign banks;
(iv) An organization operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601
(v) A bank holding company and an affiliate of such holding company (other than depository institutions and consumer reporting agencies); or
(2) Any other person that participates as a creditor in a transaction involving a person described in paragraph (a)(1) of this section.
(b)
(2)
(ii)
(iii)
(A) Any determination of the consumer's qualification or fitness for employment, insurance (other than a credit insurance product), or other non-credit products or services;
(B) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit; or
(C) Maintaining or servicing the consumer's account in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit.
(c)
(2)
(3)
(i) In response to a general question regarding a consumer's debts or expenses, the creditor receives information that the consumer owes a debt to a hospital.
(ii) In a conversation with the creditor's loan officer, the consumer informs the creditor that the consumer has a particular medical condition.
(iii) In connection with a consumer's application for an extension of credit, the creditor requests a consumer report from a consumer reporting agency and receives medical information in the consumer report furnished by the agency even though the creditor did not specifically request medical information from the consumer reporting agency.
(d)
(i) The information is the type of information routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and
(iii) The creditor does not take the consumer's physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.
(2)
(A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that may serve as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability income, workers' compensation income, or other benefits related to health or a medical condition that is relied on as a source of repayment; or
(D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to, a transaction involving the consolidation of medical debts.
(ii)
(B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor's underwriting criteria. The creditor has used
(C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current. The applicant meets the income and other requirements of the creditor's underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception.
(iii)
(B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor's established requirements for the requested mortgage loan. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The credit committee follows the loan officer's recommendation and denies the application because the consumer has a potentially terminal disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit.
(C) A consumer who has an apparent medical condition, such as a consumer who uses a wheelchair or an oxygen tank, meets with a loan officer to apply for a home equity loan. The consumer meets the creditor's established requirements for the requested home equity loan and the creditor typically does not require consumers to obtain a debt cancellation contract, debt suspension agreement, or credit insurance product in connection with such loans. However, based on the consumer's apparent medical condition, the loan officer recommends to the credit committee that credit be extended to the consumer only if the consumer obtains a debt cancellation contract, debt suspension agreement, or credit insurance product from a nonaffiliated third party. The credit committee agrees with the loan officer's recommendation. The loan officer informs the consumer that the consumer must obtain a debt cancellation contract, debt suspension agreement, or credit insurance product from a nonaffiliated third party to qualify for the loan. The consumer obtains one of these products and the creditor approves the loan. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis in setting conditions on the consumer's eligibility for credit.
(e)
(i) To determine whether the use of a power of attorney or legal representative that is triggered by a medical condition or event is necessary and appropriate or whether the consumer has the
(ii) To comply with applicable requirements of local, state, or Federal laws;
(iii) To determine, at the consumer's request, whether the consumer qualifies for a legally permissible special credit program or credit-related assistance program that is—
(A) Designed to meet the special needs of consumers with medical conditions; and
(B) Established and administered pursuant to a written plan that—
(
(
(iv) To the extent necessary for purposes of fraud prevention or detection;
(v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds;
(vi) Consistent with safe and sound practices, if the consumer or the consumer's legal representative specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit, to accommodate the consumer's particular circumstances, and such request is documented by the creditor;
(vii) Consistent with safe and sound practices, to determine whether the provisions of a forbearance practice or program that is triggered by a medical condition or event apply to a consumer;
(viii) To determine the consumer's eligibility for, the triggering of, or the reactivation of a debt cancellation contract or debt suspension agreement if a medical condition or event is a triggering event for the provision of benefits under the contract or agreement; or
(ix) To determine the consumer's eligibility for, the triggering of, or the reactivation of a credit insurance product if a medical condition or event is a triggering event for the provision of benefits under the product.
(2)
(3)
(ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for financing particular elective surgical procedures.
(4)
(ii) If a consumer applies for a loan by telephone and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan by liquidating assets, the creditor may, but is not required to, evaluate the application using the sale of assets as the primary source of repayment, consistent with safe and sound practices, provided that the creditor documents the consumer's request by recording the oral conversation or making a notation of the request in the consumer's file.
(iii) If a consumer applies for a loan and the application form provides a space where the consumer may provide any other information or special circumstances, whether medical or non-medical, that the consumer would like the creditor to consider in evaluating the consumer's application, the creditor may use medical information provided by the consumer in that space on that application to accommodate the consumer's application for credit, consistent with safe and sound practices, or may disregard that information.
(iv) If a consumer specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit and provides the creditor with medical information for that purpose, and the creditor determines that it needs additional information regarding the consumer's circumstances, the creditor may request, obtain, and use additional medical information about the consumer as necessary to verify the information provided by the consumer or to determine whether to make an accommodation for the consumer. The consumer may decline to provide additional information, withdraw the request for an accommodation, and have the application considered under the creditor's otherwise applicable underwriting criteria.
(v) If a consumer completes and signs a credit application that is not for medical purpose credit and the application contains boilerplate language that routinely requests medical information from the consumer or that indicates that by applying for credit the consumer authorizes or consents to the creditor obtaining and using medical information in connection with a determination of the consumer's eligibility, or continued eligibility, for credit, the consumer has not specifically requested that the creditor obtain and use medical information to accommodate the consumer's particular circumstances.
(5)
(a)
(b)
(a)
(b)
(1) Medical information;
(2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment transactions for medical products or services.
(c)
(1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003);
(2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act;
(5) In connection with a determination of the consumer's eligibility, or continued eligibility, for credit consistent with § 222.30 of this part; or
(6) As otherwise permitted by order of the Board.
Subpart E of this part applies to member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act, as amended (12 U.S.C. 1844(c)(5)), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601
For purposes of this subpart and appendix E of this part, the following definitions apply:
(a)
(1) Reflects the terms of and liability for the account or other relationship;
(2) Reflects the consumer's performance and other conduct with respect to the account or other relationship; and
(3) Identifies the appropriate consumer.
(b)
(c)
(1) Provides information to a consumer reporting agency solely to obtain a consumer report in accordance with sections 604(a) and (f) of the Fair Credit Reporting Act;
(2) Is acting as a “consumer reporting agency” as defined in section 603(f) of the Fair Credit Reporting Act;
(3) Is a consumer to whom the furnished information pertains; or
(4) Is a neighbor, friend, or associate of the consumer, or another individual with whom the consumer is acquainted or who may have knowledge about the consumer, and who provides information about the consumer's character, general reputation, personal characteristics, or mode of living in response to a specific request from a consumer reporting agency.
(d)
(e)
(1) Is substantiated by the furnisher's records at the time it is furnished;
(2) Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; and
(3) Includes the information in the furnisher's possession about the account or other relationship that the Board has:
(i) Determined that the absence of which would likely be materially misleading in evaluating a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and
(ii) Listed in section I.(b)(2)(iii) of appendix E of this part.
(a)
(b)
(c)
(a)
(1) The consumer's liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether there is or has been identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account;
(2) The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount on an account, or the amount of the credit limit on an open-end account;
(3) The consumer's performance or other conduct concerning an account or other relationship with the furnisher, such as direct disputes relating to the current payment status, high balance, date a payment was made, the amount of a payment made, or the date an account was opened or closed; or
(4) Any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
(b)
(1) The direct dispute relates to:
(i) The consumer's identifying information (other than a direct dispute relating to a consumer's liability for a credit account or other debt with the furnisher, as provided in paragraph (a)(1) of this section) such as name(s), date of birth, Social Security number, telephone number(s), or address(es);
(ii) The identity of past or present employers;
(iii) Inquiries or requests for a consumer report;
(iv) Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher with an account or other relationship with the consumer);
(v) Information related to fraud alerts or active duty alerts; or
(vi) Information provided to a consumer reporting agency by another furnisher; or
(2) The furnisher has a reasonable belief that the direct dispute is submitted by, is prepared on behalf of the consumer by, or is submitted on a form supplied to the consumer by, a credit repair organization, as defined in 15 U.S.C. 1679a(3), or an entity that would be a credit repair organization, but for 15 U.S.C. 1679a(3)(B)(i).
(c)
(1) The address of a furnisher provided by a furnisher and set forth on a consumer report relating to the consumer;
(2) An address clearly and conspicuously specified by the furnisher for submitting direct disputes that is provided to the consumer in writing or electronically (if the consumer has agreed to the electronic delivery of information from the furnisher); or
(3) Any business address of the furnisher if the furnisher has not so specified and provided an address for submitting direct disputes under paragraphs (c)(1) or (2) of this section.
(d)
(1) Sufficient information to identify the account or other relationship that
(2) The specific information that the consumer is disputing and an explanation of the basis for the dispute; and
(3) All supporting documentation or other information reasonably required by the furnisher to substantiate the basis of the dispute. This documentation may include, for example: a copy of the relevant portion of the consumer report that contains the allegedly inaccurate information; a police report; a fraud or identity theft affidavit; a court order; or account statements.
(e)
(1) Conduct a reasonable investigation with respect to the disputed information;
(2) Review all relevant information provided by the consumer with the dispute notice;
(3) Complete its investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under section 611(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681i(a)(1)) within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section; and
(4) If the investigation finds that the information reported was inaccurate, promptly notify each consumer reporting agency to which the furnisher provided inaccurate information of that determination and provide to the consumer reporting agency any correction to that information that is necessary to make the information provided by the furnisher accurate.
(f)
(i) The consumer did not provide sufficient information to investigate the disputed information as required by paragraph (d) of this section;
(ii) The direct dispute is substantially the same as a dispute previously submitted by or on behalf of the consumer, either directly to the furnisher or through a consumer reporting agency, with respect to which the furnisher has already satisfied the applicable requirements of the Act or this section; provided, however, that a direct dispute is not substantially the same as a dispute previously submitted if the dispute includes information listed in paragraph (d) of this section that had not previously been provided to the furnisher; or
(iii) The furnisher is not required to investigate the direct dispute because one or more of the exceptions listed in paragraph (b) of this section applies.
(2)
(3)
(a)
(i) Uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to a consumer that is primarily for personal, family, or household purposes; and
(ii) Based in whole or in part on the consumer report, grants, extends, or
(2)
(b)
(c)
For purposes of this subpart, the following definitions apply:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)
(j)
(k)
(l)
(m)
(n)
(1) (i) Except as otherwise provided in paragraphs (n)(1)(ii) and (n)(3) of this section, in the case of credit extended under an open-end credit plan, the annual percentage rate required to be disclosed under 12 CFR 226.6(a)(1)(ii) or 12 CFR 226.6(b)(2)(i), excluding any temporary initial rate that is lower than the rate that will apply after the temporary rate expires, any penalty rate that will apply upon the occurrence of one or more specific events, such as a late payment or an extension of credit that exceeds the credit limit, and any fixed annual percentage rate option for a home equity line of credit;
(ii) In the case of a credit card (other than a credit card that is used to access a home equity line of credit or a charge card), the annual percentage rate required to be disclosed under 12 CFR 226.6(b)(2)(i) that applies to purchases (“purchase annual percentage rate”) and no other annual percentage rate, or in the case of a credit card that has no purchase annual percentage rate, the annual percentage rate that varies based on information in a consumer report and that has the most significant financial impact on consumers;
(2) In the case of closed-end credit, the annual percentage rate required to be disclosed under 12 CFR 226.17(c) and 226.18(e); and
(3) In the case of credit for which there is no annual percentage rate, the financial term that varies based on information in a consumer report and that has the most significant financial impact on consumers, such as a deposit required in connection with credit extended by a telephone company or utility or an annual membership fee for a charge card.
(o)
(p)
(q)
(a)
(1) Uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to that consumer that is primarily for personal, family, or household purposes; and
(2) Based in whole or in part on the consumer report, grants, extends, or otherwise provides credit to that consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of consumers from or through that person.
(b)
(1)
(A) Determining the credit score (hereafter referred to as the “cutoff score”) that represents the point at which approximately 40 percent of the consumers to whom it grants, extends, or provides credit have higher credit scores and approximately 60 percent of the consumers to whom it grants, extends, or provides credit have lower credit scores; and
(B) Providing a risk-based pricing notice to each consumer to whom it grants, extends, or provides credit whose credit score is lower than the cutoff score.
(ii)
(iii)
(B)
(C)
(D)
(iv)
(v)
(B) A credit card issuer engages in risk-based pricing, and the annual percentage rates it offers to consumers are based in whole or in part on a credit score. The credit card issuer takes a representative sample of the consumers to whom it issued credit cards over the preceding six months. The credit card issuer determines that approximately 80 percent of the sampled consumers received credit at its lowest annual percentage rate, and 20 percent received credit at a higher annual percentage rate. Approximately 80 percent of the sampled consumers have a credit score at or above 750 (on a scale of 350 to 850), and 20 percent have a credit score below 750. Thus, the card issuer selects 750 as its cutoff score. A consumer applies to the credit card issuer for a credit card. The card issuer obtains a credit score for the consumer. The consumer's credit score is 740. Since the consumer's 740 credit score falls below the 750 cutoff score, the credit card issuer must provide a risk-based pricing notice to the consumer.
(C) An auto lender engages in risk-based pricing, obtains credit scores from one of the nationwide consumer reporting agencies, and uses the credit score proxy method to determine which consumers must receive a risk-based pricing notice. A consumer applies to the auto lender for credit to finance the purchase of an automobile. A credit score about that consumer is not available from the consumer reporting agency from which the lender obtains credit scores. The lender nevertheless grants, extends, or provides credit to the consumer. The lender must provide a risk-based pricing notice to the consumer.
(2)
(ii)
(iii)
(c)
(i) A consumer applies for a credit card either in connection with an application program, such as a direct-
(ii) Based in whole or in part on a consumer report, the credit card issuer provides a credit card to the consumer with an annual percentage rate referenced in § 222.71(n)(1)(ii) that is greater than the lowest annual percentage rate referenced in § 222.71(n)(1)(ii) available in connection with the application or solicitation.
(2)
(i) The consumer applies for a credit card for which the card issuer provides a single annual percentage rate referenced in § 222.71(n)(1)(ii), excluding a temporary initial rate that is lower than the rate that will apply after the temporary rate expires and a penalty rate that will apply upon the occurrence of one or more specific events, such as a late payment or an extension of credit that exceeds the credit limit; or
(ii) The credit card issuer offers the consumer the lowest annual percentage rate referenced in § 222.71(n)(1)(ii) available under the credit card offer for which the consumer applied, even if a lower annual percentage rate referenced in § 222.71(n)(1)(ii) is available under a different credit card offer issued by the card issuer.
(3)
(ii) The same facts as in the example in paragraph (c)(3)(i) of this section, except that the card issuer provides a credit card to the consumer at a purchase annual percentage rate of 10 percent. The card issuer is not required to provide a risk-based pricing notice to the consumer even if, under a different credit card solicitation, that consumer or other consumers might qualify for a purchase annual percentage rate of 8 percent.
(d)
(i) Uses a consumer report in connection with a review of credit that has been extended to the consumer; and
(ii) Based in whole or in part on the consumer report, increases the annual percentage rate (the annual percentage rate referenced in § 222.71(n)(1)(ii) in the case of a credit card).
(2)
(a)
(i) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that history;
(ii) A statement that the terms offered, such as the annual percentage rate, have been set based on information from a consumer report;
(iii) A statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories;
(iv) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
(v) The identity of each consumer reporting agency that furnished a consumer report used in the credit decision;
(vi) A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;
(vii) A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;
(viii) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports; and
(ix) If a credit score of the consumer to whom a person grants, extends, or otherwise provides credit is used in setting the material terms of credit:
(A) A statement that a credit score is a number that takes into account information in a consumer report, that the consumer's credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer's credit history;
(B) The credit score used by the person in making the credit decision;
(C) The range of possible credit scores under the model used to generate the credit score;
(D) All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five;
(E) The date on which the credit score was created; and
(F) The name of the consumer reporting agency or other person that provided the credit score.
(2)
(i) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that credit history;
(ii) A statement that the person has conducted a review of the account using information from a consumer report;
(iii) A statement that as a result of the review, the annual percentage rate on the account has been increased based on information from a consumer report;
(iv) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
(v) The identity of each consumer reporting agency that furnished a consumer report used in the account review;
(vi) A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;
(vii) A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;
(viii) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports; and
(ix) If a credit score of the consumer whose extension of credit is under review is used in increasing the annual percentage rate:
(A) A statement that a credit score is a number that takes into account information in a consumer report, that the consumer's credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer's credit history;
(B) The credit score used by the person in making the credit decision;
(C) The range of possible credit scores under the model used to generate the credit score;
(D) All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquires made with respect to the consumer report, the number of key factors shall not exceed five;
(E) The date on which the credit score was created; and
(F) The name of the consumer reporting agency or other person that provided the credit score.
(b)
(i) Clear and conspicuous; and
(ii) Provided to the consumer in oral, written, or electronic form.
(2)
(c)
(i) In the case of a grant, extension, or other provision of closed-end credit, before consummation of the transaction, but not earlier than the time the decision to approve an application for, or a grant, extension, or other provision of, credit, is communicated to the consumer by the person required to provide the notice;
(ii) In the case of credit granted, extended, or provided under an open-end credit plan, before the first transaction is made under the plan, but not earlier than the time the decision to approve an application for, or a grant, extension, or other provision of, credit is communicated to the consumer by the person required to provide the notice; or
(iii) In the case of a review of credit that has been extended to the consumer, at the time the decision to increase the annual percentage rate (annual percentage rate referenced in § 222.71(n)(1)(ii) in the case of a credit card) based on a consumer report is communicated to the consumer by the person required to provide the notice, or if no notice of the increase in the annual percentage rate is provided to the consumer prior to the effective date of the change in the annual percentage rate (to the extent permitted by law), no later than five days after the effective date of the change in the annual percentage rate.
(2)
(i) Provides a notice described in §§ 222.72(a), 222.74(e), or 222.74(f) to the consumer within the time periods set forth in paragraph (c)(1)(i) of this section, § 222.74(e)(3), or § 222.74(f)(4), as applicable; or
(ii) Arranges to have the auto dealer or other party provide a notice described in §§ 222.72(a), 222.74(e), or 222.74(f) to the consumer on its behalf within the time periods set forth in paragraph (c)(1)(i) of this section, § 222.74(e)(3), or § 222.74(f)(4), as applicable, and maintains reasonable policies and procedures to verify that the auto dealer or other party provides such notice to the consumer within the applicable time periods. If the person arranges to have the auto dealer or other party provide a notice described in § 222.74(e), the person's obligation is
(3)
(i) The time of the first mailing by the person to the consumer after the decision is made to approve the grant, extension, or other provision of open-end credit, such as in a mailing containing the account agreement or a credit card; or
(ii) Within 30 days after the decision to approve the grant, extension, or other provision of credit.
(d)
(2)
(ii) A person that uses consumer reports to set the material terms of automobile loans granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies, each of which it uses in an underwriting program in order to determine the material terms it will offer to the consumer. That person may choose one of these scores to include in the notices described in paragraph (a)(1) and (2) of this section.
(a)
(2)
(b)
(c)
(i) Obtains a consumer report that is a prescreened list as described in section 604(c)(2) of the FCRA; and
(ii) Uses the consumer report for the purpose of making a firm offer of credit to the consumer.
(2)
(3)
(d)
(i) The consumer requests from the person an extension of credit that is or will be secured by one to four units of residential real property; and
(ii) The person provides to each consumer described in paragraph (d)(1)(i) of this section a notice that contains the following—
(A) A statement that a consumer report (or credit report) is a record of the consumer's credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;
(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer's credit history;
(C) A statement that the consumer's credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
(D) The information required to be disclosed to the consumer pursuant to section 609(g) of the FCRA;
(E) The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer's credit score using the same scale as that of the credit score that is provided to the consumer, presented in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar or by other clear and readily understandable graphical means, or a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. Use of a graph or statement obtained from the person providing the credit score that meets the requirements of this paragraph (d)(1)(ii)(E) is deemed to comply with this requirement;
(F) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
(G) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;
(H) Contact information for the centralized source from which consumers may obtain their free annual consumer reports; and
(I) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.
(2)
(i) Clear and conspicuous;
(ii) Provided on or with the notice required by section 609(g) of the FCRA;
(iii) Segregated from other information provided to the consumer, except for the notice required by section 609(g) of the FCRA; and
(iv) Provided to the consumer in writing and in a form that the consumer may keep.
(3)
(4)
(ii)
(B) A person that uses consumer reports to set the material terms of mortgage credit granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies, each of which it uses in an underwriting program in order to determine the material terms it will offer to the consumer. That person may choose one of these scores to include in the notice described in paragraph (d)(1)(ii) of this section.
(5)
(e)
(i) The consumer requests from the person an extension of credit other than credit that is or will be secured by one to four units of residential real property; and
(ii) The person provides to each consumer described in paragraph (e)(1)(i) of this section a notice that contains the following—
(A) A statement that a consumer report (or credit report) is a record of the
(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer's credit history;
(C) A statement that the consumer's credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
(D) The current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit;
(E) The range of possible credit scores under the model used to generate the credit score;
(F) The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer's credit score using the same scale as that of the credit score that is provided to the consumer, presented in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, or by other clear and readily understandable graphical means, or a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. Use of a graph or statement obtained from the person providing the credit score that meets the requirements of this paragraph (e)(1)(ii)(F) is deemed to comply with this requirement;
(G) The date on which the credit score was created;
(H) The name of the consumer reporting agency or other person that provided the credit score;
(I) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
(J) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;
(K) Contact information for the centralized source from which consumers may obtain their free annual consumer reports; and
(L) A statement directing consumers to the web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.
(2)
(i) Clear and conspicuous;
(ii) Segregated from other information provided to the consumer; and
(iii) Provided to the consumer in writing and in a form that the consumer may keep.
(3)
(4)
(ii)
(5)
(f)
(i) Regularly obtains credit scores from a consumer reporting agency and provides credit score disclosures to consumers in accordance with paragraphs (d) or (e) of this section, but a credit score is not available from the consumer reporting agency from which the person regularly obtains credit scores for a consumer to whom the person grants, extends, or provides credit;
(ii) Does not obtain a credit score from another consumer reporting agency in connection with granting, extending, or providing credit to the consumer; and
(iii) Provides to the consumer a notice that contains the following—
(A) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that history;
(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer's credit history;
(C) A statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms;
(D) A statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
(E) A statement that a credit score about the consumer was not available from a consumer reporting agency, which must be identified by name, generally due to insufficient information regarding the consumer's credit history;
(F) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the consumer report;
(G) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free consumer report from each of the nationwide consumer reporting agencies once during any 12-month period;
(H) The contact information for the centralized source from which consumers may obtain their free annual consumer reports; and
(I) A statement directing consumers to the web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.
(2)
(3)
(i) Clear and conspicuous;
(ii) Segregated from other information provided to the consumer; and
(iii) Provided to the consumer in writing and in a form that the consumer may keep.
(4)
(5)
For purposes of this subpart, the following rules of construction apply:
(a)
(b)
(2)
(3)
(ii) A consumer obtains credit to finance the purchase of an automobile. If a bank or finance company is the person to whom the loan obligation is initially payable, the bank or finance company must provide the risk-based pricing notice to the consumer (or satisfy the requirements for and provide the notice required under one of the exceptions noted above) based on the terms offered by that bank or finance company only. The auto dealer has no duty to provide a risk-based pricing notice to the consumer. However, the bank or finance company may comply with this rule if the auto dealer has agreed to provide notices to consumers before consummation pursuant to an arrangement with the bank or finance company, as permitted under § 222.73(c).
(c)
(2)
(3)
(ii) Two consumers jointly apply for credit with a creditor. The two consumers reside at the same address. The creditor obtains credit scores on each of the two consumer applicants. The creditor grants credit to the consumers. The creditor provides credit score disclosure notices to satisfy its obligations under this subpart. Even though the two consumers reside at the same address, the creditor must provide a separate credit score disclosure notice to each of the consumers. Each notice must contain only the credit score of the consumer to whom the notice is provided.
(a)
(b)
(c)
(2)
(A) Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B) Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)
(i) Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)
(i) Verifying the address with the consumer about whom it has requested the report;
(ii) Reviewing its own records to verify the address of the consumer;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3)
(a)
(b)
(c)
(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.
(a)
(b)
(1)
(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii) A deposit account.
(2) The term
(i) In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)
(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(c)
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft.
(d)
(2)
(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)
(1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3) Train staff, as necessary, to effectively implement the Program; and
(4) Exercise appropriate and effective oversight of service provider arrangements.
(f)
(a)
(b)
(1)
(2)
(c)
(1)(i) Notifies the cardholder of the request:
(A) At the cardholder's former address; or
(B) By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii) Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2) Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 222.90 of this part.
(d)
(e)
a. Although use of the model notices is not required, a financial institution that is subject to section 623(a)(7) of the FCRA shall be deemed to be in compliance with the notice requirement in section 623(a)(7) of the FCRA if the institution properly uses the model notices in this appendix (as applicable).
b. A financial institution may use Model Notice B-1 if the institution provides the notice prior to furnishing negative information to a nationwide consumer reporting agency.
c. A financial institution may use Model Notice B-2 if the institution provides the notice after furnishing negative information to a nationwide consumer reporting agency.
d. Financial institutions may make certain changes to the language or format of the model notices without losing the safe harbor from liability provided by the model notices. The changes to the model notices may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model notices. Financial institutions making such extensive revisions will lose the safe harbor from liability that this appendix provides. Acceptable changes include, for example,
1. Rearranging the order of the references to “late payment(s),” or “missed payment(s)”
2. Pluralizing the terms “credit bureau,” “credit report,” and “account”
3. Specifying the particular type of account on which information may be furnished, such as “credit card account”
4. Rearranging in Model Notice B-1 the phrases “information about your account” and “to credit bureaus” such that it would read “We may report to credit bureaus information about your account.”
We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.
We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report.
a. Although use of the model forms is not required, use of the model forms in this appendix (as applicable) complies with the requirement in section 624 of the Act for clear, conspicuous, and concise notices.
b. Certain changes may be made to the language or format of the model forms without losing the protection from liability afforded by use of the model forms. These changes may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model forms. Persons making such extensive revisions will lose the safe harbor that this appendix provides. Acceptable changes include, for example:
1. Rearranging the order of the references to “your income,” “your account history,” and “your credit score.”
2. Substituting other types of information for “income,” “account history,” or “credit score” for accuracy, such as “payment history,” “credit history,” “payoff status,” or “claims history.”
3. Substituting a clearer and more accurate description of the affiliates providing or covered by the notice for phrases such as “the [ABC] group of companies,” including without limitation a statement that the entity providing the notice recently purchased the consumer's account.
4. Substituting other types of affiliates covered by the notice for “credit card,” “insurance,” or “securities” affiliates.
5. Omitting items that are not accurate or applicable. For example, if a person does not limit the duration of the opt-out period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they have to opt out before shared eligibility information may be used to make solicitations to them.
7. Adding a statement that the consumer may exercise the right to opt out at any time.
8. Adding the following statement, if accurate: “If you previously opted out, you do not need to do so again.”
9. Providing a place on the form for the consumer to fill in identifying information, such as his or her name and address.
10. Adding disclosures regarding the treatment of opt-outs by joint consumers to comply with § 222.23(a)(2) of this part.
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]
• You may limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we
• Your choice to limit marketing offers from our affiliates will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from our affiliates for [another x years]/[at least another 5 years].
• [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from our affiliates, you do not need to act again until you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1-877-###-####
• On the Web:
• By mail: Check the box and complete the form below, and send the form to:
_Do not allow your affiliates to use my personal information to market to me.
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]
• You may limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that they receive from other [ABC] companies. This information includes your [income], your [account history], and your [credit score].
• Your choice to limit marketing offers from the [ABC] companies will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from the [ABC] companies for [another x years]/[at least another 5 years].
• [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from the [ABC] companies, you do not need to act again until you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1-877-###-####
• On the Web:
• By mail: Check the box and complete the form below, and send the form to:
_Do not allow any company [in the ABC group of companies] to use my personal information to market to me.
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]
• You previously chose to limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we share with them. This information includes your [income], your [account history with us], and your [credit score].
• Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years, contact us [include all that apply]:
• By telephone: 1-877-###-####
• On the Web:
• By mail: Check the box and complete the form below, and send the form to:
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]
• You previously chose to limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you
• Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years, contact us [include all that apply]:
• By telephone: 1-877-###-####
• On the Web:
• By mail: Check the box and complete the form below, and send the form to:
• [Name of Affiliate] is providing this notice.
• You may choose to stop all marketing from us and our affiliates.
• [Your choice to stop marketing from us and our affiliates will apply until you tell us to change your choice.]
To stop all marketing, contact us [include all that apply]:
• By telephone: 1-877-###-####
• On the Web: www.—.com
• By mail: Check the box and complete the form below, and send the form to:
The Board encourages voluntary furnishing of information to consumer reporting agencies. Section 222.42 of this part requires each furnisher to establish and implement reasonable written policies and procedures concerning the accuracy and integrity of the information it furnishes to consumer reporting agencies. Under § 222.42(b) of this part, a furnisher must consider the guidelines set forth below in developing its policies and procedures. In establishing these policies and procedures, a furnisher may include any of its existing policies and procedures that are relevant and appropriate. Section 222.42(c) requires each furnisher to review its policies and procedures periodically and update them as necessary to ensure their continued effectiveness.
(a)
(1) The types of business activities in which the furnisher engages;
(2) The nature and frequency of the information the furnisher provides to consumer reporting agencies; and
(3) The technology used by the furnisher to furnish information to consumer reporting agencies.
(b)
(1) To furnish information about accounts or other relationships with a consumer that is accurate, such that the furnished information:
(i) Identifies the appropriate consumer;
(ii) Reflects the terms of and liability for those accounts or other relationships; and
(iii) Reflects the consumer's performance and other conduct with respect to the account or other relationship;
(2) To furnish information about accounts or other relationships with a consumer that has integrity, such that the furnished information:
(i) Is substantiated by the furnisher's records at the time it is furnished;
(ii) Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; thus, the furnished information should:
(A) Include appropriate identifying information about the consumer to whom it pertains; and
(B) Be furnished in a standardized and clearly understandable form and manner and with a date specifying the time period to which the information pertains; and
(iii) Includes the credit limit, if applicable and in the furnisher's possession;
(3) To conduct reasonable investigations of consumer disputes and take appropriate actions based on the outcome of such investigations; and
(4) To update the information it furnishes as necessary to reflect the current status of the consumer's account or other relationship, including, for example:
(i) Any transfer of an account (
(ii) Any cure of the consumer's failure to abide by the terms of the account or other relationship.
In establishing and implementing its policies and procedures, a furnisher should:
(a) Identify practices or activities of the furnisher that can compromise the accuracy or integrity of information furnished to consumer reporting agencies, such as by:
(1) Reviewing its existing practices and activities, including the technological means and other methods it uses to furnish information to consumer reporting agencies and the frequency and timing of its furnishing of information;
(2) Reviewing its historical records relating to accuracy or integrity or to disputes; reviewing other information relating to the accuracy or integrity of information provided by the furnisher to consumer reporting agencies; and considering the types of errors, omissions, or other problems that may have affected the accuracy or integrity of information it has furnished about consumers to consumer reporting agencies;
(3) Considering any feedback received from consumer reporting agencies, consumers, or other appropriate parties;
(4) Obtaining feedback from the furnisher's staff; and
(5) Considering the potential impact of the furnisher's policies and procedures on consumers.
(b) Evaluate the effectiveness of existing policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to consumer reporting agencies; consider whether new, additional, or different policies and procedures are necessary; and consider whether implementation of existing policies and procedures should be modified to enhance the accuracy and integrity of information about consumers furnished to consumer reporting agencies.
(c) Evaluate the effectiveness of specific methods (including technological means) the furnisher uses to provide information to consumer reporting agencies; how those methods may affect the accuracy and integrity of the information it provides to consumer reporting agencies; and whether new, additional, or different methods (including technological means) should be used to provide information to consumer reporting agencies to enhance the accuracy and integrity of that information.
In developing its policies and procedures, a furnisher should address the following, as appropriate:
(a) Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that is appropriate to the nature, size, complexity, and scope of the furnisher's business operations.
(b) Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about consumers to consumer reporting agencies.
(c) Maintaining records for a reasonable period of time, not less than any applicable recordkeeping requirement, in order to substantiate the accuracy of any information about consumers it furnishes that is subject to a direct dispute.
(d) Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting agencies, such as by implementing standard procedures and verifying random samples of information provided to consumer reporting agencies.
(e) Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the policies and procedures.
(f) Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.
(g) Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or sales, or other acquisitions or transfers of accounts or other obligations in a manner that prevents re-aging of information, duplicative reporting, or other problems that may similarly affect the accuracy or integrity of the information furnished.
(h) Deleting, updating, and correcting information in the furnisher's records, as appropriate, to avoid furnishing inaccurate information.
(i) Conducting reasonable investigations of disputes.
(j) Designing technological and other means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of information with the wrong consumer(s), and other occurrences that may compromise the accuracy or integrity of information provided to consumer reporting agencies.
(k) Providing consumer reporting agencies with sufficient identifying information in the furnisher's possession about each consumer about whom information is furnished to enable the consumer reporting agency properly to identify the consumer.
(l) Conducting a periodic evaluation of its own practices, consumer reporting agency practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of
(m) Complying with applicable requirements under the Fair Credit Reporting Act and its implementing regulations.
1. This appendix contains four model forms for risk-based pricing notices and three model forms for use in connection with the credit score disclosure exceptions. Each of the model forms is designated for use in a particular set of circumstances as indicated by the title of that model form.
2. Model form H-1 is for use in complying with the general risk-based pricing notice requirements in Sec. 222.72 if a credit score is not used in setting the material terms of credit. Model form H-2 is for risk-based pricing notices given in connection with account review if a credit score is not used in increasing the annual percentage rate. Model form H-3 is for use in connection with the credit score disclosure exception for loans secured by residential real property. Model form H-4 is for use in connection with the credit score disclosure exception for loans that are not secured by residential real property. Model form H-5 is for use in connection with the credit score disclosure exception when no credit score is available for a consumer. Model form H-6 is for use in complying with the general risk-based pricing notice requirements in Sec. 222.72 if a credit score is used in setting the material terms of credit. Model form H-7 is for risk-based pricing notices given in connection with account review if a credit score is used in increasing the annual percentage rate. All forms contained in this appendix are models; their use is optional.
3. A person may change the forms by rearranging the format or by making technical modifications to the language of the forms, in each case without modifying the substance of the disclosures. Any such rearrangement or modification of the language of the model forms may not be so extensive as to materially affect the substance, clarity, comprehensibility, or meaningful sequence of the forms. Persons making revisions with that effect will lose the benefit of the safe harbor for appropriate use of Appendix H model forms. A person is not required to conduct consumer testing when rearranging the format of the model forms.
a. Acceptable changes include, for example
i. Corrections or updates to telephone numbers, mailing addresses, or Web site addresses that may change over time.
ii. The addition of graphics or icons, such as the person's corporate logo.
iii. Alteration of the shading or color contained in the model forms.
iv. Use of a different form of graphical presentation to depict the distribution of credit scores.
v. Substitution of the words “credit” and “creditor” or “finance” and “finance company” for the terms “loan” and “lender.”
vi. Including pre-printed lists of the sources of consumer reports or consumer reporting agencies in a “check-the-box” format.
vii. Including the name of the consumer, transaction identification numbers, a date, and other information that will assist in identifying the transaction to which the form pertains.
viii. Including the name of an agent, such as an auto dealer or other party, when providing the “Name of the Entity Providing the Notice.”
b. Unacceptable changes include, for example
i. Providing model forms on register receipts or interspersed with other disclosures.
ii. Eliminating empty lines and extra spaces between sentences within the same section.
4. Optional language in model forms H-6 and H-7 may be used to direct the consumer to the entity (which may be a consumer reporting agency or the creditor itself, for a proprietary score that meets the definition of a credit score) that provided the credit score for any questions about the credit score, along with the entity's contact information. Creditors may use or not use the additional language without losing the safe harbor, since the language is optional.
H-1Model form for risk-based pricing notice.
H-2Model form for account review risk-based pricing notice.
H-3Model form for credit score disclosure exception for credit secured by one to four units of residential real property.
H-4Model form for credit score disclosure exception for loans not secured by residential real property.
H-5Model form for credit score disclosure exception for loans where credit score is not available.
H-6 Model form for risk-based pricing notice with credit score information
H-7 Model form for account review risk-based pricing notice with credit score information
Section 222.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 222.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 222.90 of this part.
In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
(a)
(1) The types of covered accounts it offers or maintains;
(2) The methods it provides to open its covered accounts;
(3) The methods it provides to access its covered accounts; and
(4) Its previous experiences with identity theft.
(b)
(1) Incidents of identity theft that the financial institution or creditor has experienced;
(2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3) Applicable supervisory guidance.
(c)
(1) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2) The presentation of suspicious documents;
(3) The presentation of suspicious personal identifying information, such as a suspicious address change;
(4) The unusual use of, or other suspicious activity related to, a covered account; and
(5) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a) Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b) Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.
The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:
(a) Monitoring a covered account for evidence of identity theft;
(b) Contacting the customer;
(c) Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d) Reopening a covered account with a new account number;
(e) Not opening a new covered account;
(f) Closing an existing covered account;
(g) Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular circumstances.
Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a) The experiences of the financial institution or creditor with identity theft;
(b) Changes in methods of identity theft;
(c) Changes in methods to detect, prevent, and mitigate identity theft;
(d) Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e) Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
(a)
(1) Assigning specific responsibility for the Program's implementation;
(2) Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 222.90 of this part; and
(3) Approving material changes to the Program as necessary to address changing identity theft risks.
(b)
(2)
(c)
Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a) For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b) Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d) Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft.
In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts:
1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 222.82(b) of this part.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit, especially with respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:
a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.
11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:
a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:
a. The address on an application is fictitious, a mail drop, or a prison; or
b. The phone number is invalid, or is associated with a pager or answering service.
14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or by other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud. For example:
a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:
a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.