Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act

On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). Title X of the Dodd-Frank Act, which is titled the Consumer Financial Protection Act of 2010 (“CFP Act”), amends a number of federal consumer protection laws enacted prior to the Dodd-Frank Act including, in relevant part, the Fair Credit Reporting Act (“FCRA”) and the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”). Specifically, Section 1088 of the CFP Act sets out certain amendments to the FCRA and the FACT Act directing the Commission to promulgate regulations that are intended to provide privacy protections to certain consumer information held by an entity that is subject to the jurisdiction of the Commission. Section 1088 amends section 214(b) of the FACT Act—which added section 624 to the FCRA in 2003—and directs the Commission to implement the provisions of section 624 of the FCRA with respect to persons that are subject to the Commission’s enforcement jurisdiction. Section 624 of the FCRA gives a consumer the right to block affiliates of an entity subject to the Commission’s jurisdiction from using certain information obtained from such entity to make solicitations to that consumer (hereinafter referred to as the “affiliate marketing rules”). Under the affiliate marketing rules, the entities covered by the regulations are expected to prepare and provide clear, conspicuous and concise opt-out notices to any consumers with whom such entities have a pre-existing business relationship. A covered entity only has to provide an opt-out notice to the extent that an affiliate of the covered entity plans to make a solicitation to any of the covered entity’s consumers. A covered entity is required to send opt-out notices at the maximum of once every five years. Section 1088 of the CFP Act also amends section 628 of the FCRA and mandates that the Commission implement regulations requiring persons subject to the Commission’s jurisdiction who possess or maintain consumer report information in connection with their business activities to properly dispose of that information (hereinafter referred to as the “disposal rules”). Under the disposal rules, the entities covered by the regulations are expected to develop and implement a written disposal plan with respect to any consumer information within such entities’ possession. The regulations provide that a covered entity develop a written disposal plan that is tailored to the size and complexity of such entity’s business. The purpose of the written disposal plan is to establish a formal plan for the disposal of nonpublic, consumer information, which otherwise could be illegally confiscated and used by unauthorized third parties. Under the rules, a covered entity is required to develop a written disposal plan only once, but may subsequently amend such plan from time to time. In addition, Section 1088 of the CFP Act amended the FCRA by adding the CFTC and the Securities and Exchange Commission (“SEC,” together with the CFTC, the “Commissions”) to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and guidelines and card issuer rules. Under the identity theft rules, entities covered by the regulation are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags for identity theft that are appropriate to the size and complexity of such entity’s business and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding address changes. They are also required to provide for the continued administration of identity theft policies and procedures.

The latest form for Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act expires 2022-11-30 and can be found here.