Blog: Chronicle of Data Protection | 16 June 2010

Regulations Imposing New Obligations on Entities Furnishing Information to Consumer Reporting Agencies Go into Effect on July 1

On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals.  These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.

What Is a CRA, and Who Is a Data Furnisher?

The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”).  Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes.  As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.

Accuracy and Integrity Rules and Guidelines

The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”  “Accuracy” means that information furnished about an individual correctly:

1. reflects the terms of the relationship with the individual;
2. reflects the individual’s performance and other conduct with respect to the relationship; and
3. identifies the appropriate individual.

“Integrity” means that information furnished about an individual:

1. is substantiated by the data furnisher’s records at the time it is furnished;
2. is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a report about the individual; and
3. includes any information in the furnisher’s possession that the Federal Trade Commission (“FTC”) has determined the absence of which would likely be materially misleading in evaluating the individual.  Regarding the last category, the FTC only has determined an individual’s credit limit with the furnisher, if applicable, must be reported, but it is possible that in the future the FTC could require furnishers to provide other categories of information.

Although this mandate is worded broadly, the regulation also specifically requires that data furnishers “consider” detailed guidelines (which are appended to the regulations) and “incorporate those guidelines that are appropriate.”  By requiring data furnishers to “consider” and “incorporate” these guidelines, the regulation requires data furnishers to conduct an audit of their current furnishing policies and procedures.  Moreover, the guidelines contain a list of specific components of policies and procedures that a furnisher “should address,” making these components de facto requirements of any written policies and procedures that result.  These components include:

• Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about individuals to CRAs.
• Maintaining records for a reasonable period of time in order to substantiate the accuracy of any information about an individual that is subject to a direct dispute by the individual.
• Establishing and implementing appropriate internal controls to ensure accuracy and integrity, such as by implementing standard procedures and verifying random samples of information furnished to CRAs.
• Training staff that participates in activities related to data furnishing.
• Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of furnished data.
• Deleting, updating, and correcting information in internal records, as appropriate, to avoid furnishing inaccurate information.
• Conducting reasonable investigations of disputes.
• Designing technological and other means of communication with CRAs to prevent duplicative reporting, erroneous association of information with the wrong individual(s), and other occurrences that may compromise the accuracy or integrity of data furnished.
• Providing CRAs with sufficient identifying information about each individual about whom information is furnished to enable the CRA to properly identify the individual.
• Conducting a periodic evaluation of internal practices, CRA practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of data furnished.

The regulation also specifies that policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher’s activities.  In addition, the regulation requires that furnishers review their policies and procedures “periodically” and update them as necessary to ensure their continued effectiveness.

Direct Dispute Rules

In addition to the accuracy and integrity rules, the new regulations also contain rules requiring data furnishers in most cases to investigate disputes that individuals submit directly to them regarding the accuracy of information that the furnishers reported to a CRA.  Previously, the law encouraged individuals to submit their disputes through a CRA, rather than directly to data furnishers.

The new rules require data furnishers to conduct “a reasonable investigation” of any such dispute initiated by an individual over furnished data.  Data furnishers do not need to conduct such an investigation, however, if any of a number of exceptions apply, including if the dispute is about the consumer’s identifying information; the identity of past or present employers; inquiries or requests for a consumer report; information derived from public records; information related to fraud alerts or active duty alerts; or information provided to a CRA by another furnisher.

The rules require a data furnisher to respond to disputes received at any business address, unless the furnisher has previously specified an address to the individual submitting the dispute or a specific address is listed on the report of the CRA incorporating the disputed information.  After receiving a valid dispute notice from an individual, the data furnisher must conduct and complete an investigation within thirty days (unless the disputer provides additional information within that period).  If the investigation finds that the information reported was inaccurate, the data furnisher must promptly notify and provide corrections to each CRA to which the furnisher provided inaccurate information.

Compliance Steps

At minimum, data furnishers must establish written policies and procedures regarding the accuracy and integrity of the information relating to its employees that it provides to CRAs.  This will involve conducting a review of existing policies and procedures, both formal and informal, to determine if they comply with the guidelines appended to the regulations, and making modifications as needed.  Data furnishers also must consider the specific components of policies and procedures listed in the guidelines appended to the regulations, and include those specific components in written policies and procedures if applicable.  Further, data furnishers must adopt a process to review these policies and procedures periodically and update them as necessary to ensure their continued effectiveness.

To comply with the direct dispute rules, data furnishers should determine if they furnish any information to CRAs which is not subject to any of the exceptions in the regulation, and if they do, they must establish formal policies and procedures to ensure that they conduct a “reasonable investigation” of all direct disputes about individuals’ information provided CRAs.