CFPB Consumer
Laws and Regulations FCRA
CFPB Manual V.2 (October 2012) FCRA 10
consumer, conveys the decision with respect to the request. The third party must advise the
consumer of the name and address of the person, such as a financial institution, to which the
request was made, and such person makes the adverse action disclosures required by Section 615
of the FCRA. For example, this exception allows a lender to communicate a credit decision to an
automobile dealer who is arranging financing for a consumer purchasing an automobile and who
requires a loan to finance the transaction.
“Joint User” Rule. The Federal Trade Commission (FTC) staff commentary discusses another
exception known as the “Joint User Rule.” Under this exception, users of consumer reports,
including financial institutions, may share information if they are jointly involved in the decision
to approve a consumer’s request for a product or service, provided that each has a permissible
purpose to obtain a consumer report on the individual. For example, a consumer applies for a
mortgage loan that will have a high loan-to-value ratio, and thus the lender will require private
mortgage insurance (PMI) in order to approve the application. An outside company provides the
PMI. The lender and the PMI company can share consumer report information about the
consumer because both entities have permissible purposes to obtain the information and both are
jointly involved in the decision to grant the products to the consumer. This exception applies to
entities that are affiliated or nonaffiliated third parties. It is important to note that the GLBA will
still apply to the sharing of nonpublic, personal information with nonaffiliated third parties;
therefore, a person, such as a financial institution, should be aware the GLBA may still limit or
prohibit sharing allowed under the FCRA joint user rule.
Protection of Medical Information – Section 604(g); 15 U.S.C. 1681b(g);
12 CFR 1022, Subpart D
Section 604(g) generally prohibits creditors from obtaining and using medical information in
connection with any determination of the consumer’s eligibility, or continued eligibility, for
credit. The statute contains no prohibition on creditors obtaining or using medical information
for other purposes that are not in connection with a determination of the consumer’s eligibility,
or continued eligibility for credit.
Section 604(g)(5)(A) requires the federal banking agencies and NCUA to prescribe regulations
that permit transactions that are determined to be necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs (including administrative verification
purposes), consistent with the Congressional intent to restrict the use of medical information for
inappropriate purposes. On November 22, 2005, the FFIEC Agencies published final rules in the
Federal Register (70 FR 70664). The rules contain the general prohibition on obtaining or using
medical information, and provide exceptions for the limited circumstances when medical
information may be used. The rules define “credit” and “creditor” as having the same meanings
as in Section 702 of the ECOA (15 U.S.C. 1691a). On December 21, 2011, the CFPB restated
the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308).
Obtaining and Using Unsolicited Medical Information (12 CFR 1022.30(c)). A creditor does not
violate the prohibition on obtaining medical information if it receives the medical information
pertaining to a consumer in connection with any determination of the consumer’s eligibility, or
continued eligibility, for credit without specifically requesting medical information. However,