50 years of the FCRA

1970 saw the ban of cigarette advertising on TV, the debut of Doonesbury, the inaugural flight of the Boeing 747, and the start of the New York City Marathon. Another notable 1970 first celebrating its 50th anniversary this week: the Fair Credit Reporting Act, the nation’s first consumer financial privacy statute. A review of 50 years of enforcement suggests that the law has been worth its weight in gold to consumers. But it also demonstrates that regular “polishing” is necessary to ensure that entities covered by the FCRA honor their legal obligations.

The FCRA regulates the practices of consumer reporting agencies – CRAs – that collect and compile information into reports used by a wide variety of businesses in making eligibility decisions affecting consumers. What’s in a consumer report? Lots of information, including consumers’ credit history, payment patterns, demographic data, and information compiled from public records – for example, arrests, judgments, and bankruptcies. The statute initially covered primarily CRAs, but over time it’s been amended to expand coverage for two other important categories of businesses in the credit reporting ecosystem: 1) entities that use consumer reports (for example, employers, lenders, and landlords); and 2) entities that furnish information to CRAs.

Even a quick read of the FCRA reveals three notable features that are as applicable today as they were in 1970. First, the law is designed to promote the efficiency of the nation’s consumer credit systems. Pre-FCRA, people had to wait weeks before their applications for credit could be evaluated – delays that could inconvenience and injure consumers. Second, the FCRA includes express mandates to improve the accuracy and integrity of the information included in consumer reports. And third, the law includes provisions to prevent the misuse of sensitive consumer information by limiting access to those who have a legitimate need for it.

The FTC has had primary enforcement authority for the FCRA since the day the ink dried on the statute. Here are a few key developments in the FCRA’s first four decades.

• Credit Bureau of Lorain – The FTC didn’t wait long to bring its first FCRA cases in 1972. The complaint alleged that the credit bureau failed to comply with a central provision of the statute by not requiring that its members certify they had a permissible purpose for accessing consumers’ reports.
• Equifax – In this 1980 action, the FTC alleged that CRA Equifax passed along adverse information about consumers to insurance clients without ensuring that the clients had a permissible purpose. The FTC also charged that in violation of the FCRA’s express time limitations, Equifax included information that was more than 7 years old.
• TRW – This 1991 action charged that CRA TRW provided “mixed files” – files that had information about more than one consumer – violating the FCRA’s bedrock requirement that CRAs have reasonable procedures to ensure maximum possible accuracy of their reports.
• Consumer Credit Reporting Reform Act of 1996 – The law made extensive revisions to the FCRA. First, it expanded the duties of CRAs to respond to consumers’ disputes. Acknowledging the importance to consumers of a swift, but thorough, investigation, the statute required CRAs to complete investigations in 30 days, gave consumers the right to a written notice of the results within five days of completion, and added restrictions on reinserting back into consumers’ reports the information that had been deleted following a dispute. The 1996 Amendments also imposed duties on a class of entities not previously covered by the FCRA: furnishers of information to CRAs.
• Trans Union – In this landmark 2000 decision, the FTC ordered credit bureau Trans Union to stop selling consumer report information in the form of targeted marketing lists since marketing is not a permissible purpose under the FCRA. The FTC alleged that Trans Union impermissibly compiled marketing lists of consumers based on information contained in the company’s consumer reporting database.
• FACT Act of 2003 – Congress’ second major expansion of the FCRA added provisions aimed at helping consumers and businesses combat identity theft and reducing the injury to consumers when the crime occurs. The FACT Act established a national fraud alert system, required merchants to truncate account numbers on electronic credit/debit card receipts, and ordered the FTC and other agencies to promulgate several rules including rules on the proper disposition of consumer report information and on what companies should do to respond to the “red flag” indicators of identity theft. In addition, it gave consumers the right to free annual reports from national CRAs, required “blocking” of information placed on a consumer report as a result of identity theft, and required businesses to provide copies of relevant business records to victims of identity theft.
• ChoicePoint – Arising out of a data breach affecting 163,000 consumers, the FTC’s 2006 settlement with CRA ChoicePoint was one of the first actions to consider the FCRA implications of data breaches. The FTC alleged that the company violated the law by, among other things, failing to have reasonable procedures to verify its customers and ensure they have a permissible purpose. ChoicePoint paid a record-setting $10 million civil penalty and another $5 million in consumer redress.

In 2010, the Consumer Financial Protection Act added another cop to the FCRA beat and the FTC continues to work closely with the Consumer Financial Protection Bureau.

What about recent enforcement efforts? In the past decade, the FTC’s policy work and more than 30 actions against CRAs, users of consumer reports, and furnishers feature a number of firsts, including:

• Spokeo – In 2012, the FTC alleged that data broker Spokeo was a CRA subject to the FCRA. This was the first Commission case to address the sale of Internet and social media data in the employment screening context. The settlement included a civil penalty of $800,000 for violations related to Spokeo’s sale of consumer reports to background screening, human resources, and recruiting professionals.
• HireRight Solutions – The FTC’s 2012 action against HireRight Solutions was the agency’s first case against an employment background screening company. The company paid a $2.6 million civil penalty for allegedly violating the FCRA accuracy and consumer dispute requirements and other provisions.
• Credit Reporting Accuracy Study – In fulfillment of the FACT Act, the FTC published a ground-breaking Report to Congress in 2013 about the accuracy of information in credit reports. It was the first major study that looked at all of the primary groups that participate in the credit reporting and scoring process, including consumers, furnishers (creditors, lenders, debt collection agencies, etc.), the Fair Isaac Corporation (developer of FICO scores), and national credit bureaus. The study found that one in five consumers had an error on at least one of their three credit reports.
• Certegy Check Services and TeleCheck Services – Announced in 2013 and 2014, the FTC’s actions against Certegy Check Services and TeleCheck Services were the agency’s first FCRA cases against check authorization CRAs and first cases alleging violations of the Furnisher Rule. The settlement with Certegy included a $3.5 million civil penalty, as did the settlement with TeleCheck.
• RealPage – This 2018 action against a tenant screening company was the FTC’s first FCRA case examining automated background screening practices. The complaint alleged that RealPage failed to take reasonable steps to ensure the accuracy of consumer reports, resulting in false information that prospective renters had criminal records. The upshot: a $3 million civil penalty.
• Kohl’s – In 2020, the FTC announced its first action against a business for failing to provide transaction records to identity theft victims as required by the FCRA. The settlement with retailer Kohl’s included a $220,000 civil penalty.

What’s next for the FCRA? The protections built into the statute are even more important to consumers in the era of Big Data. Therefore, the FTC will continue to take action against companies that fail to honor the Fair Credit Reporting Act’s provisions.