Legislative Update

October – December 2003

Summary of Federal Legislation – Pending Legislation

Fair and Accurate Credit Transactions Act Signed into Law

Introduced by Rep. Bachus (R-AL) on June 26, 2003.
Status: Signed into law by President George W. Bush on December 4 and became Public Law No. 108-159.

This law permanently extends provisions of the Fair Credit Reporting Act (FCRA) and offers consumers a series of protections against identity theft. The existing FCRA contained provisions preventing states from enforcing credit reporting laws that were more restrictive than the FCRA. Those provisions were set to expire on January 1, 2004. This law removes the sunset provision, and states are now permanently prohibited from enforcing laws stricter than the FCRA that regulate: 1) the prescreening of consumer reports; 2) the time within which credit bureaus must respond to consumer disputes; 3) the duties of users of credit bureau information; 4) the information contained in credit reports; 5) the duties of information providers; and 6) the exchange of credit information between affiliates. The act did not specifically set an effective date for this provision, and federal regulators scrambled to establish one before the end of the year. The regulators set the effective date of these preemptions to December 31, 2003 (see Summary of Federal Regulations section).

The act also establishes several other preemptions concerning: 1) how often consumers can obtain free copies of their credit reports; 2) the disclosure of credit scores used for credit decisions; 3) consumers' opt-out process for exchanges of information (that would otherwise be treated as a credit report) among affiliates; and 4) the duty of lenders to notify consumers that information contained in their credit reports resulted in their receiving credit on less than the most favorable terms.

Identity Theft: Other provisions of the bill address the problem of identity theft. Consumers will be able to initiate fraud alerts when they suspect they are a victim of fraud or identity theft. They can do this by contacting one of the national consumer reporting agencies (CRAs), which will be required to include the alert in the consumer's file, provide the consumer with a free credit report, and alert all of the other national CRAs. For at least 90 days after the alert is made, the CRAs will also include the alert with any credit score generated for the individual. Consumers can request an extended fraud alert, which would require CRAs to include the alert with all credit scores generated for the consumer for seven years following the alert. Lenders may not extend lines of credit (other than open-ended credit card accounts), increase credit limits, or issue additional credit cards to consumers who have a fraud alert attached to their credit scores unless the issuers take reasonable means to verify that they know the true identity of the requester.

Financial regulators will be required to develop rules to help banks and creditors recognize or prevent potential cases of identity theft. One rule will prohibit credit card issuers from sending an additional card to a consumer who has also requested a change of address within the same 30-day period, unless the issuer notifies the cardholder of those requests at his or her former address. Another rule permits consumers to request that CRAs exclude from their credit reports the first five digits of their social security numbers. In addition, businesses that accept credit and debit cards will be prohibited from electronically printing more than the last five digits of a card number or the card's expiration date on the cardholder's receipt.

CRAs will be required to block any information from an individual's file that the individual claims was a result of identity theft. To make a claim, a consumer will file a police report and submit an affidavit of identity theft. The CRA will then be required to notify its source that the information could be the result of identity theft and that an identity theft report has been filed. Resellers of information are exempted from this provision if they are not currently reselling a file that contains the information that the consumer wants blocked. However, if the reseller does have this file, the reseller will be prohibited from redistributing this information. Consumers will be permitted to dispute credit information directly with the furnishers of information, and if a furnisher of information has reason to believe that information might have resulted from identity theft, the furnisher will be prohibited from later sending it to a CRA.

Credit Reports and Scores: The act requires lenders to notify consumers within 30 days of providing negative information about the consumer to a CRA. Consumers will also be entitled to receive from a CRA one free credit report in a 12-month period. The CRA will be required to provide the report within 15 days of the consumer's requesting it. If the consumer requests a reinvestigation after reviewing the report, the CRA will be required to comply within 45 days of receiving the request. CRAs will be prohibited from restructuring as another business organization to circumvent this law. Consumers may request a credit score instead of or in addition to a credit report, and CRAs will be required to provide the credit score (for a reasonable fee) and make several disclosures, including the range of scores that could have been derived using the same model and all of the factors that adversely affected the score.

If a consumer's credit score causes a credit issuer to extend credit at terms less favorable than what might have been offered otherwise, the credit issuer is required to notify the consumer orally, electronically, or in writing. The lender will notify the consumer either during the application for credit or when the application is approved. The notice should include: 1) a statement informing the consumer that the terms offered to the consumer are based on information from a consumer report; 2) the name of the CRA that furnished the report; 3) a statement informing the consumer that he or she may obtain a copy of his or her report from that CRA; and 4) the contact information specified by that CRA for obtaining consumer reports.

Affiliate Sharing: Information that is ordinarily considered a credit report is not subject to the FCRA's limitations on disclosure when it is shared with affiliates. Credit report information (other than medical information) may be shared among affiliates in order to make offers, as long as consumers are given the opportunity to opt out of receiving solicitations about products or services offered by an affiliate of a company with which the consumer does business. The opt-out period will last for five years, at which time the consumer must be notified that the period has expired and be given the chance to renew it. This does not apply to affiliates with which the consumer has a pre-existing business relationship. Examples of pre-existing relationships include financial contracts currently in effect, a transaction between a consumer and a firm that occurred within the last 18 months, or an inquiry initiated by the consumer within the last three months.

Medical Information: The law also protects the confidentiality of consumers' private medical information. The act defines medical information as information related to a person's past, present, or future physical, mental, or behavioral health; the provision of health care to an individual; or the payment for such care. Unless a consumer expressly permits it, medical information cannot be furnished in connection with insurance transactions or for employment purposes. The law also places restrictions on businesses sharing medical information with affiliates. Medical information may be shared with affiliates for transactions or debts arising from medical treatment as long as this information does not convey the nature of the product or services obtained. Providers of medical services and products that share information with CRAs are required to notify the CRAs that they are engaged in this line of business. The CRAs will then code their information so that medical information is not inadvertently disclosed. The FTC will issue guidelines regarding medical information coding.

Employee Screening: The act amends the FCRA to permit employers to obtain credit reports on their existing workers, without obtaining their prior consent, for the purpose of investigating suspected employee misconduct or to comply with federal, state, or local law, or rules promulgated by a self-regulatory organization. If the employer takes an adverse action against the employee on the basis of information obtained in a credit report, it must inform the employee that the reason for the action was due, at least in part, to information contained in his or her credit report.

Summary of Judicial Developments

TILA and FDCPA Do Not Apply to Buyers of Delinquent Credit Card Accounts

Nathan Neff and Robert Robb held delinquent credit card accounts years ago but thought their accounts had been settled. Then, years later, they discovered their accounts had been sold by their original issuers and had accumulated interest at a high rate. Neff and Robb brought suit against the account purchasers, Capital One and Capital Acquisitions and Management Company, charging violations of the Truth in Lending Act (TILA) and the Fair Debt Collection Practices Act (FDCPA). The plaintiffs alleged that the account purchasers failed to send statements or any other notification that would have alerted them to the still open accounts and the accruing interest charges. Further, the plaintiffs claimed that they had settled the accounts long ago. The U.S. Court of Appeals for the Seventh Circuit affirmed a district court's decision and ruled that the plaintiffs could not seek relief under the TILA because the act does not apply to purchasers of credit accounts, since the purchasers were not "creditors" and did not extend the plaintiffs credit or allow them to incur debt. Also, the defendants, by purchasing the delinquent accounts, were not considered debt collectors and therefore were not subject to the FDCPA (Neff v. Capital Acquisitions and Management Co., No. 02-4186).