Auditing FCRA Compliance

Auditing FCRA Compliance

Internal auditors should know the issues surrounding protection of consumer information.

Steven Stachowicz, CFA, CRCM 
Senior Manager, Protiviti 

The accuracy, integrity, and security of consumer credit information have become highly significant consumer and regulatory concerns. Various public and private studies highlight that a sizable percentage of consumer reports contain errors serious enough to affect consumers’ applications for credit, insurance, and employment. Further, millions of Americans become victims of identity theft annually at a cost of tens of billions of dollars to businesses and consumers, not to mention the very personal, and often frustrating, experience for the victims. The Federal Trade Commission (FTC) regularly lists identity theft as a top category of consumer complaints.

These concerns have prompted additional regulatory obligations on furnishers and users of consumer report information. Furnishers include banks and other providers of credit, such as automobile dealers, utility companies, mortgage brokers, telecommunications companies, finance companies, and certain nonbank financial services companies. Institutions that furnish consumer report information or otherwise extend credit to consumers must be aware of key regulations that impact these activities. Internal auditors should be familiar with these regulatory changes, and validate that their institutions have implemented appropriate policies, procedures, and internal controls to ensure compliance with these requirements.

The Fair Credit Reporting Act (FCRA) establishes rules regarding the collection, communication, and use of consumer report information. This includes information that reflects a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part as a factor in determining a consumer's eligibility for credit or insurance for personal, family, or household purposes; for employment purposes; or any other permissible purpose as defined by the regulation. The most familiar type of consumer report is a credit report, compiled by a consumer reporting agency (CRA) such as TransUnion, Equifax, and Experian. These credit reports contain demographic and account-specific information for an individual consumer, as well as a credit score.

In response to concerns regarding the accuracy and integrity of consumer report information and to improve resolution of consumer disputes and prevent identity theft, the United States Congress enacted the Fair and Accurate Credit Transactions Act (FACTA) in 2003. Specific requirements of FACTA have since been implemented in pieces by specific regulations promulgated by the federal banking agencies and the FTC, including three new requirements that became effective in 2010 and one that will become effective in 2011. These new requirements are summarized below:

Consumer Reporting On July 1, 2010, new regulations regarding the accuracy and integrity of consumer reports became effective. These regulations require companies that furnish consumer report information to develop and implement reasonable written policies and procedures regarding the accuracy and integrity of the information furnished to CRAs. Specifically, furnishers should establish standards to:

  • Provide information accurately and with integrity about accounts or other relationships with a consumer.
  • Update the information it furnishes, as necessary, to reflect the current status of the consumer’s account or other relationship.

Companies must implement procedures to identify any practices that can compromise the accuracy or integrity of information furnished to CRAs. Additionally, they must evaluate the effectiveness of existing policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to CRAs and the efficacy of specific methods used to provide information to agencies. Written procedures should address, among other items: 

  • Using standard data reporting formats and standards for compiling and transmitting the data.
  • Furnishing sufficient identifying information about each consumer for whom information is furnished to CRAs to avoid erroneous association of information with another consumer.
  • Training of staff responsible for furnishing information to CRAs.
  • Conducting reasonable investigations of disputes related to the accuracy and completeness of consumer report information.
  • Implementing appropriate internal controls to ensure the accuracy and integrity of the information furnished

Companies must be familiar with — and document — specifically how consumer report information is furnished from their systems. Companies also should disseminate this information to their consumer dispute response and internal monitoring functions to enable internal consistency, as well as to detect and respond to deficiencies when they occur.

Consumer Reporting Disputes Historically, companies that provided consumer report information to CRAs were not obligated to respond to consumer report-related disputes received directly from consumers, though many did for customer service purposes. However, effective July 1, 2010, consumers now have the right to dispute consumer report information directly with the company supplying that information, and companies now have an affirmative obligation to respond to such disputes. Furnishers must conduct reasonable investigations upon receipt of these disputes received and must:

  • Establish a mechanism to receive such disputes from consumers.
  • Develop standards for evaluating the sufficiency of information received from a consumer, including classification of disputes as frivolous or irrelevant.
  • Implement a process to investigate and respond to such disputes and make updates to information furnished previously to CRAs, as necessary.

 Although the volume of disputes received directly from customers is far less than that received from customers via CRAs, the same care is required of companies to investigate these disputes.

Risk-based Pricing Effective Jan. 1, 2011, new rules issued jointly by the Federal Reserve Board and the FTC to implement risk-based pricing notice requirements of FACTA became effective. Subject to some exceptions, businesses that extend credit to consumers primarily for personal, household, or family purposes will be required to provide a risk-based pricing notice to consumers in the following circumstances:

  • A consumer report is used in connection with providing credit with terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers.
  • When, in the course of an account review, the creditor increases a consumer's annual percentage rate based on a deteriorated credit report.

Among other considerations, the required risk-based pricing notices must contain statements that the terms offered have been set based on information from a consumer report, that the terms offered may be less favorable than those offered to consumers with better credit histories, and that the consumer is encouraged to verify the accuracy of the information contained in the credit report. 

The final rule includes a model form that creditors may use to make the notice and affords safe harbor to creditors that use the form. As an alternative to providing risk-based pricing notices, creditors may provide consumers who apply for credit with a free credit score and information about their score. 

Creditors will need to develop and implement policies and procedures to address the risk-based pricing notice requirements and will need to ensure that employees are trained on the new requirements.

Identity Theft Prevention Programs One of the better-known provisions of FACTA is the requirement that creditors develop identity theft “red flag” programs. Compliance with the federal banking agencies’ regulations implementing this provision was mandatory on Nov. 1, 2008, although the effective date of compliance for other creditors has been delayed several times. 

The red flag regulations require creditors to develop written identity theft prevention programs that enable them to detect, prevent, and mitigate identity theft in connection with the opening and servicing of consumer credit accounts. Companies are expected to:

  • Conduct a risk assessment to identify credit accounts subject to this rule and applicable identity theft red flags.
  • Detect and respond to identity theft red flags. Monitor identity theft red flags activity to determine whether the red flags are resolved timely and appropriately, and determine whether controls operate as intended. 
  • Develop and present regular reports to senior management and their boards of directors regarding the effectiveness of their programs.
  • Provide training to employees.
  • Oversee third-party service providers used as part of their programs.
  • Update their programs as necessary to reflect their operating environments.

Since compliance for banking organizations became mandatory in 2008, most financial institutions have implemented written programs, deployed training, and developed monitoring routines and management reporting. However, companies have found that the regulations are not fully prescriptive. As a result, they have had to sort through many operational details to implement the requirements. Further, because financial institution operations are not static and external factors also may affect their programs, updates to the programs initially developed have been mandated to meet the regulatory requirements.

The new FCRA regulations pose significant operational challenges to creditors. Companies should take care to implement programs that meet both the letter and spirit of these regulations. However, forward-thinking companies will view consumer reporting, dispute response, and identity theft prevention programs as opportunities to enhance their customer service and differentiate themselves in the marketplace.

Although the scope of an FCRA audit will vary depending on the nature, size, and complexity of a company, there are certain basic steps that internal auditors should take to validate that a company has effectively and efficiently implemented the FCRA requirements.

Consumer Reporting

  • Review the company’s documented consumer reporting methodology, including the technological logic by which customers are selected from the institution’s system(s) for reporting and how specific information is selected, manipulated, compiled, and ultimately furnished in accordance with industry standards. Auditors well-versed in the company’s operations and systems are critical to assessing the accuracy and completeness of this documentation.
  • Evaluate the company’s regular monitoring of consumer reporting processes for its consistency with the documented consumer reporting program as well as how effectively potential irregularities are detected and resolved. Monitoring performed by the company also should incorporate feedback from CRAs, the company’s personnel, and the disputes resolution processes.
  • Determine if the consumer reporting process has been incorporated into the company’s change management processes to ensure that changes in systems and processes do not adversely affect the accuracy and integrity of information furnished.
  • Assess how the company provides adequate oversight of third-party vendors responsible for consumer reporting. Although data may be furnished on the company’s behalf by its vendor, the company is ultimately responsible for validating the accuracy and completeness of the data, as it will be held accountable by its regulators and customers if deficiencies occur.

Consumer Reporting Disputes

  • Document how the company identifies and tracks the receipt of written disputes from its customers and determines that the correspondence is, in fact, a dispute and is complete.
  • Understand what constitutes a “reasonable” investigation and what systems and/or documents the institution reviews. Reliance only upon an institution’s systems should be questioned; such a review may not be sufficient when other documentation might more strongly support the dispute investigation.
  • Determine how the company has incorporated the consumer reporting methodology documentation into the institution’s detailed consumer reporting dispute resolution procedures for consistency purposes.
  • Inquire if and how the company assesses the “root cause” of disputes received, particularly when inaccuracies are noted and require correction. The company should take steps to avoid refurnishing (“re-polluting”) inaccurate information.

Risk-based Pricing

  • If the company provides a risk-based pricing notice, validate the methodology selected by the company to provide the notice, specifically how products, product categories, and material terms have been defined; how the company has identified terms that are materially less favorable; and if the company has established appropriate procedures to review periodically these determinations for ongoing appropriateness.
  • If the company provides a credit score disclosure as an alternative to the risk-based pricing notice and relies upon the CRA (or third-party reseller of consumer report information) to generate the credit score disclosure, validate that the notice meets the content requirements of the regulation.
  • Confirm that the company has incorporated the risk-based pricing notice (or the alternative credit score disclosure) content and delivery requirements into its ongoing monitoring and review procedures.
  • Determine if management has trained employees appropriately regarding the new disclosure requirements, particularly those employees with “front-line” credit originations, servicing account review, and customer service responsibilities.

Identity Theft Prevention Programs

  • Validate that the institution has conducted a risk assessment, identifying appropriately covered accounts and relevant identity theft red flags.
  • Determine that the company reasonably executes procedures to respond to identity theft red flags (e.g., escalating the referral of red flags for further investigation; validating customer address changes and preventing the issuance of replacement cards until recent address change requests are validated; and taking appropriate action upon the identification of fraud, active duty, or extended alerts noted on a consumer report). Internal auditors should consider reperforming the work performed to validate that procedures were followed appropriately.
  • Assess management and/or board-level reporting. Many companies prepare lengthy reports for the board covering every aspect of the program, rather than focusing primarily on the effectiveness of the institution’s identity theft prevention program. Internal auditing should determine if reports call attention to key metrics (e.g., number of red flags detected by account type or line of business or dollar amount of losses avoided or incurred due to identity theft) and significant incidents involving identity theft and material changes to the program.
  • Evaluate the identity theft program training to determine if management provides employees with specific awareness of the company’s identity theft prevention program, what accounts are subject to the requirements, and how the company addresses identity theft operationally. Internal auditing should determine if the training provides employees with guidance regarding how to comply in practice with program requirements. Example-based training, such as highlighting specific instances of identity theft and potential losses, may be an effective way to demonstrate the company’s program. 

It is important for internal auditors to verify the effectiveness of the company’s implementation of the regulatory requirements and perform independent testing to validate transaction-level compliance with internal procedures and standards. However, internal auditors also can provide added value by evaluating how these programs assist their organizations in achieving their customer service and risk management objectives.

Steven Stachowicz, CFA, CRCM, is a senior manager, regulatory risk consulting, with Protiviti in Chicago.  

To comment on this article, e-mail the FSA Times editor at