PRIA Logo
Start Free Watch
Back to search
Consumer ProtectionConsumer Debt

Credit Reporting Rules

11 min read·Updated Apr 21, 2026

Credit Reporting Rules

The Fair Credit Reporting Act (FCRA, 1970) — codified at 15 U.S.C. §§ 1681–1681x — governs how the three major credit bureaus (Equifax, Experian, TransUnion) collect, maintain, and share credit information on approximately 240 million Americans, and establishes consumer rights to access, dispute, and correct their credit files. The practical stakes are enormous: credit scores derived from these reports determine mortgage eligibility and interest rates (a 100-point score difference can cost $50,000+ over a mortgage), auto loan terms, apartment applications, insurance premiums in some states, and even employment screening in many industries. Key FCRA rights: free annual credit reports from all three bureaus (AnnualCreditReport.com — the CFPB made the COVID-era weekly free reports permanent in 2023); the right to dispute inaccurate information with a 30-day investigation deadline (45 days if you provide additional information); and adverse action notices when credit is denied based on your report. Negative information generally falls off reports after 7 years (10 years for bankruptcy). Medical debt is undergoing rapid change: the CFPB and states have moved to remove medical debt from credit reports entirely — the CFPB finalized a rule in 2025 eliminating medical debt from credit reports, though its implementation has been contested. The FCRA also limits who can access your report (permissible purpose requirement) and regulates the growing use of "specialty consumer reports" for tenant screening, employment, and insurance.

Current Law (2026)

The Fair Credit Reporting Act (FCRA) regulates how consumer credit information is collected, shared, and used, and provides consumers with rights to access and dispute their credit reports.

ParameterValue
Free annual reports1 per bureau per year (AnnualCreditReport.com)
Dispute investigation deadline30 days (45 if consumer provides additional info)
Negative information retention7 years (10 years for bankruptcy)
Medical debt reporting$500 minimum, 1-year waiting period
Credit freezeFree (since 2018)
Fraud alertFree, 1-year initial or 7-year extended
  • 15 U.S.C. § 1681 — Congressional findings: requires credit reporting agencies to use reasonable procedures for fair and accurate reporting
  • 15 U.S.C. § 1681a — Definitions: defines "consumer report," "consumer reporting agency," "investigative consumer report," and permissible purposes
  • 15 U.S.C. § 1681b — Permissible purposes: reports may only be furnished for court orders, consumer consent, credit transactions, employment (with consent), insurance underwriting, legitimate business transactions, or child support determinations
  • 15 U.S.C. § 1681c — Time limits on negative information: bankruptcies 10 years, civil judgments/liens/collections 7 years, arrest records 7 years; no time limit if salary ≥ $75,000 for certain items
  • 15 U.S.C. § 1681g — Consumer disclosure rights: agencies must provide all information in your file, sources of information, list of recent inquiries, and credit score upon request
  • 15 U.S.C. § 1681i — Dispute investigation: agency must reinvestigate within 30 days (45 with additional info), correct or delete unverifiable items, and notify you of results within 5 business days
  • 15 U.S.C. § 1681j — Free annual disclosures: one free report per bureau per 12-month period via centralized source
  • 15 U.S.C. § 1681m — Adverse action notices: anyone who denies credit, raises rates, or takes adverse action based on a credit report must notify you and identify the reporting agency
  • 15 U.S.C. § 1681n — Willful noncompliance: statutory damages $100-$1,000 per violation plus actual damages and attorney fees; obtaining reports under false pretenses carries criminal penalties
  • 15 U.S.C. § 1681s-2 — Furnisher responsibilities: creditors who report to bureaus must ensure accuracy and investigate disputes forwarded by bureaus
  • 12 CFR Part 1022 (Regulation V) — CFPB's FCRA implementation:
    • 12 CFR 1022.20-23 — Affiliate marketing opt-out (scope, duration, and content of opt-out notices)
    • 12 CFR 1022.121 — Active duty alerts (procedures for servicemember fraud protection)
    • 12 CFR 1022.123 — Appropriate proof of identity (for requesting file disclosures)
    • 12 CFR 1022.130 — Definitions for accuracy and integrity of furnished information
    • 12 CFR 1022.136 — Centralized source for requesting annual file disclosures from nationwide CRAs
    • 12 CFR 1022.137 — Streamlined process for requesting annual file disclosures from nationwide specialty CRAs
    • 12 CFR 1022.138 — Prevention of deceptive marketing of free credit reports
    • 12 CFR 1022.140 — Prohibition against circumventing treatment as a consumer reporting agency
    • 12 CFR 1022.141 — Reasonable charges for certain disclosures
    • 12 CFR 1022.142 — Prohibition on inclusion of adverse information in certain cases of human trafficking
  • Fair and Accurate Credit Transactions Act (FACTA, 2003) — Free annual reports, fraud alerts, identity theft provisions
  • 12 CFR Part 1002 (Regulation B) — Equal Credit Opportunity (§ 1002.7: rules on extensions of credit; § 1002.10: furnishing credit information to consumer reporting agencies, including obligation to report in manner that does not discriminate)
  • 12 CFR Part 1003 (Regulation C) — Home Mortgage Disclosure Act (§ 1003.5: disclosure and reporting of mortgage lending data to promote fair lending)

How It Works

Credit reporting in the U.S. runs through three independent bureaus — Equifax, Experian, and TransUnion — each maintaining a separate file on you. Information can differ across bureaus depending on which creditors report to which bureau, meaning an error on one report may not appear on the others. The FCRA's permissible purpose requirement (15 U.S.C. § 1681b) limits who can pull your file: credit applications, employment screening (with your written consent), insurance underwriting, account review, legitimate business transactions, and court orders qualify. Accessing a credit report outside these categories is both a civil FCRA violation and a federal crime. The CFPB holds primary enforcement authority over the three major bureaus.

When information in your file is inaccurate, you have the right to dispute it — with the bureau and with the data furnisher that reported it. Under 15 U.S.C. § 1681i, the bureau must complete its reinvestigation within 30 days (45 days if you submit additional documentation) and must delete or correct any item it cannot verify. The data furnisher carries independent duties under § 1681s-2: when a bureau forwards your dispute, the furnisher must investigate and correct its own records. Most negative information ages off after 7 years; Chapter 7 bankruptcy remains 10 years. See Fair Debt Collection Practices for how disputed debts interact with collection.

Medical debt rules have shifted significantly since 2023. Paid medical debt no longer appears on credit reports, medical debt under $500 is excluded, and medical debt must be at least one year old before it can be reported. Veterans' medical debt from VA facilities is excluded entirely. However, the Biden-era CFPB rule eliminating all medical debt from credit reports was contested by the Trump administration and its status remained uncertain through early 2026 — check individual bureau policies rather than assuming uniform exclusion. See Medical Debt Protections for the full current landscape.

Whenever a creditor, insurer, employer, or landlord takes adverse action based on your credit report — denying credit, charging a higher rate, rejecting an application — § 1681m requires them to give you a written adverse action notice identifying the specific bureau and your right to a free copy of that report within 60 days. That free copy is separate from your annual free reports. Creditors who willfully fail to provide these notices face statutory damages of $100–$1,000 per violation plus actual damages and attorney fees under § 1681n. Obtaining a credit report under false pretenses — misrepresenting your identity or purpose — is a criminal offense carrying up to $250,000 in fines and 2 years imprisonment under §§ 1681q-r.

Credit scores (FICO, VantageScore) are calculated by separate companies using bureau data, not by the bureaus themselves. Both use a 300–850 range. Payment history carries the most weight (~35%), followed by amounts owed (~30%), length of credit history (~15%), new credit inquiries (~10%), and credit mix (~10%). Because bureaus maintain independent files and scoring companies release multiple model versions, your score can vary materially depending on which bureau and which model version a lender pulls — two lenders evaluating the same applicant can see different numbers.

How It Affects You

If you're a consumer monitoring or protecting your credit: You're entitled to free weekly credit reports from all three bureaus (Equifax, Experian, TransUnion) at AnnualCreditReport.com — a right expanded from annual to weekly in 2023. Approximately 1 in 5 consumers has a material error on at least one report, so regular monitoring matters. For broader data privacy considerations around how your credit information is shared, see the federal privacy framework. The single most effective identity theft prevention tool is a credit freeze (also called a security freeze), which blocks all access to your credit file — preventing new accounts from being opened in your name. Freezes are free at all three bureaus under the Economic Growth Act (2018) and can be placed online or by phone; unfreeze temporarily when you actually apply for credit, then refreeze. A fraud alert (also free, lasts 1 year) is lighter — it flags your file for identity verification but doesn't block access. If your information was exposed in a data breach, a freeze is the better choice. See Identity Theft & Consumer Fraud for steps to take after a breach. Medical debt under $500, paid medical debt, and medical debt less than 1 year old should no longer appear on your reports under current rules — but check current bureau policies given regulatory uncertainty in 2025-2026.

If you've found errors on your credit report and need to dispute them: Dispute with both the credit bureau and the data furnisher (the creditor or debt collector that reported the wrong information) — both have independent obligations under FCRA. The bureau must investigate within 30 days (45 if you submit additional documentation) and delete or correct any item it cannot verify (15 U.S.C. § 1681i). The data furnisher must also investigate and correct its own records (§ 1681s-2). Submit your dispute in writing, certified mail, with copies of supporting documentation — not just through the online portal, which may limit your legal options. If the bureau or furnisher fails to correct a clearly inaccurate item, you have a private right of action under FCRA for actual damages, statutory damages of $100–$1,000 per willful violation, plus attorney fees (§ 1681n) — many FCRA attorneys work on contingency.

If you were denied credit, insurance, or employment based on your credit report: The adverse action notice (§ 1681m) you received must identify the specific credit reporting agency and give you 60 days to request a free copy of the report they used. That free copy is separate from your annual free report — request it immediately. Review the report for errors that contributed to the denial; dispute anything inaccurate through the process above. For employment credit checks: the employer must get your written consent before pulling your report, and several states restrict or prohibit employer use of credit reports in hiring decisions (California, New York, Illinois, and others). If the employer didn't get your written consent, that's an FCRA violation.

If you're a lender, employer, or other user of consumer credit reports: You can access credit reports only for a permissible purpose enumerated in § 1681b — credit transactions, employment (with written consent), insurance underwriting, account review, and legitimate business need. Obtaining a credit report without a permissible purpose is both a civil violation and a criminal offense carrying up to $250,000 in fines and 2 years imprisonment (§§ 1681q-r). When you take adverse action — denying credit, charging a higher rate, rejecting a job application — based on credit report information, you must send a written adverse action notice identifying the bureau and the consumer's rights. For employers, FCRA imposes additional pre-adverse action procedures: you must provide the consumer a copy of the report and a summary of rights before taking adverse action, and wait a reasonable time for a response.

State Variations

Several states have enacted credit reporting laws stronger than federal FCRA:

  • CA (CCPA/CCRAA): Broader consumer access rights, longer investigation periods for identity theft, restrictions on use of credit reports in employment
  • NY: Restrictions on use of credit history in employment decisions (NYC), free credit freezes before federal mandate
  • IL: Employee Credit Privacy Act — most employers cannot use credit checks in hiring
  • WA, CO, CT, HI, IL, MD, NV, OR, VT, WA: Restrict or prohibit employer credit checks except for specific positions
  • Security freeze laws: All states now have credit freeze provisions, though the federal law provides the floor

Implementing Regulations

  • 12 CFR Part 1022 — CFPB Fair Credit Reporting (Regulation V) (§§ 1022.136, 1022.137 — centralized and streamlined processes for requesting annual file disclosures)
  • 12 CFR Part 1016 — CFPB privacy of consumer financial information (§ 1016.16 — protection of Fair Credit Reporting Act)
  • 12 CFR Part 1090 — CFPB larger participant supervision (§ 1090.104 — consumer reporting market definition for supervision)
  • 12 CFR Part 1254 — FHFA credit score requirements (§§ 1254.4, 1254.7 — requirements for use of credit scores, credit score assessment)
  • 16 CFR Part 641 — FTC address discrepancy rules (§ 641.1 — duties of users of consumer reports regarding address discrepancies)
  • 16 CFR Part 313 — FTC privacy of consumer financial information (§ 313.16 — protection of FCRA)

Pending Legislation (119th Congress)

  • SJRES 129 — Would nullify a CFPB rule withdrawing the Fair Credit Reporting Act's limited preemption of state laws. Status: Introduced.
  • SJRES 127 — Would block the CFPB from withdrawing the Fair Credit Reporting File Disclosure rule, keeping the original rule in effect. Status: Introduced.
  • SJRES 140 — Would disapprove CFPB's withdrawal of Name-Only Matching Procedures, keeping the original matching rule in effect. Status: Introduced.
  • HR 5775 (Rep. Loudermilk, R-GA) — FCRA Liability Harmonization Act. Limits class-action damages and lawyer fees under the Fair Credit Reporting Act, capping recoveries and tying caps to defendants' net worth. Status: Introduced.
  • SJRES 144 — Nullifies the CFPB's Fair Credit Reporting Act preemption rule (90 Fed. Reg. 48710). Status: Introduced.
  • SJRES 145 — Would block the CFPB's withdrawal of the fair credit reporting permissible-purposes rule. Status: Introduced.
  • SJRES 155 — Would disapprove and invalidate the CFPB rule on FCRA preemption. Status: Introduced.
  • HR 8141 — Would require resellers of consumer report information to follow reasonable procedures for accuracy. Status: Introduced.
  • SJRES 133 — Would block the CFPB from withdrawing the Fair Credit Reporting background-screening rule. Status: Introduced.

Recent Developments

  • CFPB leadership overhaul — enforcement pulled back: Director Rohit Chopra was dismissed in January 2025 and the CFPB was placed under OMB oversight. New leadership paused most CFPB enforcement and rulemaking activity. Several rules were withdrawn or deprioritized. For credit reporting specifically, this means consumer complaints against bureaus and data furnishers may receive less federal enforcement attention. State attorneys general in CA, NY, IL, and other states have signaled they will take a more active role in consumer protection enforcement.
  • Biden CFPB medical debt rule — status uncertain: In January 2025, the Biden CFPB finalized a rule prohibiting the inclusion of medical debt on credit reports (affecting approximately $49 billion in medical debt reported to bureaus for roughly 15 million Americans). The Trump administration's CFPB moved to halt implementation and potentially rescind the rule. As of early 2026, the rule's future is uncertain — whether medical debt continues to be excluded from credit reports depends on judicial and administrative developments. Check current bureau policies directly.
  • Congressional CRA challenges: The 119th Congress has introduced multiple Congressional Review Act resolutions (SJRES 127, 129, 133, 140, 144, 145, 155) targeting CFPB's recent FCRA-related rulemaking — attempting to nullify Biden-era changes to credit reporting rules, preemption, and matching procedures. If any of these pass, they would roll back specific CFPB guidance on how bureaus operate.
  • BNPL reporting expanding: Buy Now Pay Later providers (Affirm, Klarna, Afterpay) began more systematically reporting to credit bureaus in 2024-25. FICO and VantageScore are incorporating BNPL data differently. If you use BNPL frequently, your credit score may now reflect these accounts — both positively (on-time payments) and negatively (high utilization or missed payments).