6 Steps to Achieve FCRA Compliance
The Fair Credit Reporting Act (FCRA) has undergone several revisions since its initial passing in 1970. The most recent version of the text includes revisions from 2018, which you can read here.
Although the majority of the rules outlined in the FCRA apply only to consumer reporting agencies, there are several provisions that affect employers and other businesses. FCRA compliance is a must if you handle any consumer credit information, and Aparavi can help you stay compliant to avoid violations and FTC fines.
1. Determine Whether the FCRA Applies to Your Business
There are essentially two types of entities that can be affected by the FCRA. The first is consumer reporting companies, a list of which can be found here. The other group is businesses that need to access the information reporting companies possess. For the sake of this article, we’re going to focus on the latter group since it’s safe to assume most consumer reporting companies have already reached FCRA compliance.
Do you request credit reports to evaluate potential hires? Are you a landlord or real estate management company looking to validate a new tenant? Do you provide financial instruments and need credit reports to verify a customer’s trustworthiness? If you answered yes, then the FCRA impacts you. Other businesses like insurance providers, utility companies, and even casinos may need to pull consumer reports from the agencies on the aforementioned list.
Aparavi’s system is specifically designed with FCRA compliance in mind. We can help you manage and protect this data, keeping it safe and separate from your other files while simultaneously limiting unauthorized access to sensitive financial information.
2. Determine What Kind of Report You Can Pull
The various consumer reporting agencies specialize in certain types of information. For example, the big three credit bureaus provide financial histories. Several other agencies perform criminal background checks and verify personal information including addresses and phone numbers. You can also obtain medical records and employment histories through these agencies.
The type of report you are allowed to request depends on what the applicant is applying for. Here are some common cases:
If you are pulling a report on a job applicant, you will most likely need to get a criminal background check and possibly a financial report. Medical records are off-limits unless you can justify that the health of the applicant is a prerequisite for the job. For example, a strenuous labor job may need to verify that an applicant does not have a knee problem that could flare up on the job site and cause the company liability.
Lending generally requires a financial report from one of the three credit bureaus. Additional information is not normally needed, however, a medical report to search specifically for medical debt may be permissible.
Insurance companies can usually get most of the information they need from public records. However, in the case of health insurance providers, full medical records may be obtained. Since health insurance providers can no longer refuse an applicant based on preexisting conditions, this is generally used only to determine the appropriate premium rates.
Regardless of the type of report you pull, you’ll need to keep track of the data you obtain. Aparavi’s system intelligently recognizes the type of content in your files and tags it accordingly using an automated system. You won’t need to manually label your files any longer. Furthermore, if you pull medical data or other personally identifiable information, Aparavi has you covered with 140+ pre-defined classification policies, ensuring that you won’t violate any other data privacy laws besides the FCRA, like HIPAA.
3. Notify and Get Consent to Pull a Report
You cannot request a report unless you have notified the consumer in question and gotten their consent. This consent must be obtained via a “clear and conspicuous” disclosure. Don’t try to sneak it into the bottom of a form in the fine print. The consumer’s consent needs to be authorized in writing and signed, whether physically or digitally.
4. Inform the Applicant of Your Decision and Provide the Report
When you use a consumer report to make a decision, you must notify the applicant once the decision has been made. If you make an adverse decision, you must also provide the report to the applicant directly so that they have the opportunity to review it and dispute your decision.
In the case of employment decisions, you must provide a “pre-adverse” decision notification, which gives the applicant 5 days to dispute any erroneous information before the decision becomes final. This is not necessary for other purposes.
You must also provide a copy of the Summary of Your Rights Under the FCRA so the applicant is informed of their rights. You can find this document here.
5. Retain Records and Reports
One of the rights afforded to consumers is the right to request additional copies of the report you pulled within the next 60 days.
After that date, you must keep records for 25 months (or 12 months for business credit). The only exception to this would be if you are under investigation for a potential violation of FCRA compliance.
Aparavi’s pre-defined classification policies can find FCRA records and reports with the click of a button. Since it unifies all your files across your whole system, you’ll be sure that when you delete a file, there won’t be any copies lingering around in hidden places. In addition, our powerful query builder lets you drill down into the data to find records requested from a particular individual, so you can comply with the request within the 60 day time period.
6. Dispose of Records Properly
Physical copies need to be burned or shredded so that they are permanently destroyed. All copies of electronic records have to be deleted permanently. In addition, our automation features make it easy to set up data retention rules for different classification policies, so you can make sure those FCRA records and reports are kept for the appropriate time period, and then deleted in accordance with your company’s data governance practices.
When you use an intelligent platform like Aparavi, you’ll also be able to locate duplicate files that might not have been deleted according to protocols. These files are notorious for creating security issues. Aparavi prevents those catastrophes.
What Happens If a Company Is Noncompliant?
Violations of the FCRA typically include a fine of $4,093 as of 2020. These violations most often occur because companies fail to provide adverse decision information in a timely manner, fail to include a copy of the report they used when issuing an adverse decision, or pull a report that they were not authorized to access.
These violations can be enforced by government agencies such as the FTC and Consumer Financial Protection Bureau, state officials, and even consumers themselves via civil lawsuits. The FCRA specifically authorizes all of these groups to enforce the law to ensure maximum FCRA compliance.
Fraudulent, deceptive, or unfair practices can be fined more egregiously.
The best way to stay FCRA compliant is to use a system like Aparavi to keep track of all of your sensitive data and avoid costly fines. A small investment can save you millions down the road if a data breach or cybersecurity incident occurs.
Manage Your Data Carefully
Consumer reports are sensitive pieces of information and breaches can also result in fines. If you routinely perform these requests, you need to be sure that your data is easily monitored and that only authorized personnel can access consumer reports. Call Aparavi to find out how our platform can make managing this information easier and keep you from facing significant civil penalties.