Regulation V, which implements the Fair Credit Reporting Act (FCRA), generally requires banks to implement procedures covering the topics listed in your question.
In 2011, the Dodd-Frank Act transferred certain rulemaking authority for the FCRA from the OCC to the CFPB. As a result, the OCC removed its FCRA regulations in 12 CFR 41, and OCC banks now are subject to the CFPB’s FCRA regulations in Regulation V. However, the OCC retained certain fair credit reporting regulations, including the requirements for national banks’ identity theft prevention programs, which must include policies and procedures for identifying and responding to red flags (part (d) of your internal review).
For the remainder of the topics in your internal review, Regulation V appears to include requirements covering each topic. Regulation V provides that each furnisher of consumer information to the credit reporting agencies must “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”
In addition, furnishers are directed to consider the guidelines in appendix E of Regulation V (Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies). Appendix E includes a list of items a furnisher should address in its policies and procedures, including standard data reporting formats and procedures for compiling and furnishing data, appropriate oversight of relevant service providers, reasonable investigations of disputes, and more. Additionally, Subparts C, E and H of Regulation V address affiliate marketing, direct disputes, and risk-based pricing, respectively.
Regarding whether your bank has any marketing affiliates, Regulation V defines an affiliate as “any company that is related by common ownership or common corporate control with another company.” Regulation V defines “common ownership or common corporate control” to include a shared ownership interest (for example, where one company owns 25% or more of another company or one person owns 25% or more of both companies). However, “control” also can be a basis for treating two companies as affiliates — for example, when a company controls the election of another company’s directors, trustees, or general partners or has “a controlling influence over the management or policies of a company.”
For resources related to our guidance, please see:
- OCC, Final Rule, 79 Fed. Reg. 28393, 28396 (May 16, 2014) (“This final rule also amends part 41 to conform with section 1002(12)(F) of the Dodd-Frank Act, which, effective July 21, 2011, transferred to the Consumer Financial Protection Bureau (CFPB) the OCC’s FCRA rulemaking authority for the remaining provisions in part 41. The CFPB has issued rules implementing these FCRA provisions, with which both national banks and Federal savings associations now must comply. [Regulation V, 12 CFR Part 1022] Accordingly, the OCC is removing part 41, subpart C (affiliate marketing), subpart D (medical information), and subpart E (duties of furnishers of information), and § 41.82 (duties of users of consumer information regarding address discrepancies), as they are no longer in effect.”)
- CFPB, Interim Final Rule, Fair Credit Reporting (Regulation V), 76 Fed. Reg. 79307, 79307 (December 21, 2011) (“Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for a number of consumer financial protection laws from seven Federal agencies to the Bureau of Consumer Financial Protection (Bureau) as of July 21, 2011. . . . In light of the transfer of certain rulemaking authority for the Fair Credit Reporting Act (FCRA) from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision to the Bureau, the Bureau is publishing for public comment an interim final rule establishing a new Regulation V (Fair Credit Reporting).”)
- OCC FCRA Regulations, 12 CFR 41.90 (“Duties regarding the detection, prevention, and mitigation of identity theft. . . . (d) Establishment of an Identity Theft Prevention Program—
(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2) Elements of the Program. The Program must include reasonable policies and procedures to:
- (i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
- (ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
- (iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
- (iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.”)
- Regulation V, 12 CFR 1022.42 (“Reasonable policies and procedures concerning the accuracy and integrity of furnished information.
(a) Policies and procedures. Each furnisher must establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency. The policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher's activities.
(b) Guidelines. Each furnisher must consider the guidelines in appendix E of this part in developing its policies and procedures required by this section, and incorporate those guidelines that are appropriate.
(c) Reviewing and updating policies and procedures. Each furnisher must review its policies and procedures required by this section periodically and update them as necessary to ensure their continued effectiveness.”)
- Regulation V, 12 CFR 1022.41(c) (“Furnisher means an entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher when it:
(1) Provides information to a consumer reporting agency solely to obtain a consumer report in accordance with sections 604(a) and (f) of the FCRA;
(2) Is acting as a ‘consumer reporting agency’ as defined in section 603(f) of the FCRA;
(3) Is a consumer to whom the furnished information pertains; or
(4) Is a neighbor, friend, or associate of the consumer, or another individual with whom the consumer is acquainted or who may have knowledge about the consumer, and who provides information about the consumer's character, general reputation, personal characteristics, or mode of living in response to a specific request from a consumer reporting agency.”)
- Regulation V, Appendix E – Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies, Section III. (In developing its policies and procedures, a furnisher should address the following, as appropriate:
(a) Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that is appropriate to the nature, size, complexity, and scope of the furnisher's business operations.
(b) Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about consumers to consumer reporting agencies.
* * * * *
(f) Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.
* * * * *
(i) Conducting reasonable investigations of disputes.
* * * * *
(m) Complying with applicable requirements under the FCRA and its implementing regulations.”)
- Regulation V, 12 CFR 1022.20(a) (“Subpart C of this part applies to any person that uses information from its affiliates for the purpose of marketing solicitations, or provides information to its affiliates for that purpose, other than a person excluded from coverage of this part by section 1029 of the Consumer Financial Protection Act of 2010, title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 137.”)
- Regulation V, 12 CFR 1022.43(a) (“Except as otherwise provided in this section, a furnisher must conduct a reasonable investigation of a direct dispute . . . .”)
- Regulation V, 12 CFR 1022.72(b) (“A person may determine whether paragraph (a) of this section applies by directly comparing the material terms offered to each consumer and the material terms offered to other consumers for a specific type of credit product. For purposes of this section, a ‘specific type of credit product’ means one or more credit products with similar features that are designed for similar purposes. Examples of a specific type of credit product include student loans, unsecured credit cards, secured credit cards, new automobile loans, used automobile loans, fixed-rate mortgage loans, and variable-rate mortgage loans. As an alternative to making this direct comparison, a person may make the determination by using one of the following methods: . . .”)
- Regulation V, 12 CFR 1022.3(b) (“Affiliate means any company that is related by common ownership or common corporate control with another company. For example, an affiliate of a Federal credit union is a credit union service corporation, as provided in 12 CFR part 712, that is controlled by the Federal credit union.”)
- Regulation V, 12 CFR 1022.3(b) (“Common ownership or common corporate control means a relationship between two companies under which:
(1) One company has, with respect to the other company:
- (i) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one or more other persons;
- (ii) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of a company; or
- (iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as determined by the applicable prudential regulator (as defined in 12 U.S.C. 5481(24)) (a credit union is presumed to have a controlling influence over the management or policies of a credit union service corporation if the credit union service corporation is 67% owned by credit unions) or, where there is no prudential regulator, by the Bureau; or
(2) Any other person has, with respect to both companies, a relationship described in paragraphs (d)(1)(i) through (d)(1)(ii).”)