VIII. Privacy — Fair Credit Reporting Act
Module 2: Obtaining Information and Sharing
Among Affiliates
Overview
The Fair Credit Reporting Act (FCRA) contains many
substantive compliance requirements for consumer reporting
agencies that are designed to help ensure the accuracy and
integrity of the consumer reporting system. As noted in the
definitions section, a consumer reporting agency is a person
that generally furnishes consumer reports to third parties. By
their very nature, banks, credit unions, and thrifts have a
significant amount of consumer information that could
constitute a consumer report, and thus communication of this
information could cause the institution to become a consumer
reporting agency. The FCRA contains several exceptions that
enable a financial institution to communicate this type of
information, within strict guidelines, without becoming a
consumer reporting agency.
Rather than containing strict information sharing prohibitions,
the FCRA creates a business disincentive such that if a
financial institution shares consumer report information
outside of the exceptions, then the institution is a consumer
reporting agency and will be subject to the significant,
substantive requirements of the FCRA applicable to those
entities. Typically, a financial institution will structure its
information sharing practices within the exceptions to avoid
becoming a consumer reporting agency. This examination
module generally covers the various information sharing
practices within these exceptions.
If upon completion of this module, examiners determine that
the financial institution’s information sharing practices fall
outside of these exceptions, the financial institution will be
considered a consumer reporting agency and Module 6 of the
examination procedures should be completed.
Section 603(d) Consumer Report and Information Sharing
Section 603(d) defines a consumer report to include
information about a consumer such as that which bears on a
consumer’s creditworthiness, character, and capacity among
other factors. Communication of this information may cause a
person, including a financial institution, to become a consumer
reporting agency. The statutory definition contains key
exemptions to this definition that enable financial institutions
to share this type of information under certain circumstances,
without becoming consumer reporting agencies. Specifically,
the term “consumer report” does not include:
1. A report containing information solely as to transactions
or experiences between the consumer and the financial
institution making the report. A person, including a
financial institution, may share information strictly related
to its own transactions or experiences with a consumer
(such as the consumer’s payment history, or an account
with the institution) with any third party, without regard to
affiliation, without becoming a consumer reporting
agency. This type of information sharing may, however,
be restricted under the Privacy of Consumer Financial
Information regulations that implement the Gramm-
Leach-Bliley Act (GLBA) because it meets the definition
of non-public personal information under the Privacy
regulations; therefore sharing it with non-affiliated third
parties may be subject to an opt out under the privacy
regulations. In turn, the FCRA may also restrict activities
that the GLBA permits. For example, the GLBA permits a
financial institution to share a list of its customers and
information such as their credit scores with another
financial institution to jointly market or sponsor other
financial products or services. This communication may
be considered a consumer report under the FCRA and
could potentially cause the sharing financial institution to
become a consumer reporting agency.
2. Communication of such transaction or experience
information among persons, including financial
institutions related by common ownership or affiliated by
corporate control.
3. Communication of other information (e.g., other than
transaction or experience information) among persons and
financial institutions related by common ownership or
affiliated by corporate control, if it is clearly and
conspicuously disclosed to the consumer that the
information will be communicated among such entities,
and before the information is initially communicated, the
consumer is given the opportunity to opt out of the
communication. This allows a financial institution to share
other information (that is, information other than its own
transaction and experience information) that could
otherwise be a consumer report, without becoming a
consumer reporting agency under the following
circumstances:
a. The sharing of the “other” information is done with
affiliates; and
b. Consumers are provided with the notice and an
opportunity to opt out of this sharing before the
information is first communicated among affiliates.
For example, “other” information can include information
provided by a consumer on an application form
concerning accounts with other financial institutions. It
can also include information obtained by a financial
institution from a consumer reporting agency, such as the
consumer’s credit score. If a financial institution shares
other information with affiliates without providing a
notice and an opportunity to opt out, the financial
institution may become a consumer reporting agency
subject to all of the other requirements of the FCRA.
The opt out right required by this section must be
contained in a financial institution’s Privacy Notice, as
required by the GLBA and its implementing regulations.
VIII–6.6 FDIC Consumer Compliance Examination Manual — September 2015