PRIA Logo
Back to search
Consumer ProtectionConsumer Protections

Fair Credit Reporting Act (FCRA)

23 min read·Updated May 12, 2026

Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) governs how consumer credit information is collected, used, shared, and corrected — giving consumers the right to know what's in their credit file, dispute inaccurate information, and limit who can access their report. The three major credit bureaus (Equifax, Experian, TransUnion) plus dozens of specialty bureaus (for employment screening, tenant screening, and insurance) must all comply. FCRA's core rights: you can get free credit reports weekly (made permanent in 2023 at AnnualCreditReport.com); you can dispute errors, and the bureau must investigate within 30 days; most negative information must be removed after 7 years (bankruptcies after 10). The FCRA also requires "permissible purpose" for accessing your credit report — employers need your written consent, and insurers can only use certain data for underwriting. The law is enforced by the CFPB, FTC, and state attorneys general, with private lawsuit rights for willful violations ($100-$1,000 per violation in statutory damages, plus punitive damages). Credit report errors are common — a FTC study found that 1 in 5 consumers had an error on at least one credit report — making the FCRA's dispute rights practically important for anyone managing their financial health.

Current Law (2026)

ParameterValue
Core statuteFair Credit Reporting Act (1970), 15 U.S.C. §§ 1681-1681x; amended by FACTA (2003)
EnforcementCFPB (rulemaking, supervision); FTC (enforcement); state attorneys general
Major credit bureausEquifax, Experian, TransUnion (plus specialty agencies for employment, insurance, tenant screening)
Free credit reportsOne free report per bureau per year (AnnualCreditReport.com); free weekly reports made permanent in 2023
Dispute rightsConsumers can dispute inaccurate information; bureau must investigate within 30 days
Reporting time limitsMost negative information: 7 years; bankruptcies: 10 years; tax liens (removed since 2018)
Civil liabilityWillful noncompliance: actual or statutory damages ($100-$1,000 per violation) plus punitive damages; negligent noncompliance: actual damages
Permissible purposesCredit, insurance, employment (with consent), tenant screening, government license, legitimate business need
  • 15 U.S.C. § 1681b — Permissible purposes (consumer reports may only be obtained for: credit transactions, insurance underwriting, employment purposes (with written consumer authorization), tenant screening, government license or benefit determinations, legitimate business transactions initiated by the consumer, and review of existing accounts)
  • 15 U.S.C. § 1681c — Reporting time limits (negative information must be removed after 7 years for most items, 10 years for bankruptcies; exceptions for credit transactions over $150,000, employment at $75,000+, life insurance over $150,000)
  • 15 U.S.C. § 1681g — Consumer disclosures (consumers have the right to know what's in their file, their credit score, and who has accessed their report)
  • 15 U.S.C. § 1681i — Dispute procedure (consumers may dispute inaccurate information; consumer reporting agency must investigate within 30 days, contact the data furnisher, and delete or correct unverifiable information)
  • 15 U.S.C. § 1681m — Adverse action notices (any person who takes adverse action based on a consumer report must notify the consumer, identify the reporting agency, and inform the consumer of their right to dispute)
  • 15 U.S.C. § 1681n-o — Civil liability (willful violations: statutory damages of $100-$1,000 per violation plus punitive damages and attorney fees; negligent violations: actual damages plus attorney fees)

How It Works

The FCRA governs the consumer reporting industry — the system that collects, maintains, and distributes information about your creditworthiness, character, and reputation. Your credit report affects whether you get a mortgage, credit card, job, apartment, or insurance policy, and at what price. The FCRA is the law that gives you rights over this powerful information system.

The FCRA governs a three-party ecosystem. Data furnishers — banks, credit card companies, collection agencies, landlords, public records sources — report information to the three nationwide credit bureaus (Equifax, Experian, TransUnion), which maintain files on approximately 200 million American adults. Users — lenders, insurers, employers, landlords — purchase consumer reports from the bureaus. The FCRA's most basic protection is permissible purpose: not just anyone can pull your credit report. Access is limited to those evaluating you for credit, insurance, employment (with written consent), tenancy, or a government license — unauthorized access is a federal crime. Specialty consumer reporting agencies covering background checks, tenant screening, insurance claims history (CLUE reports), check-writing history (ChexSystems), and medical information are also covered. Employers must obtain written authorization before pulling your report and must provide a copy plus a "pre-adverse action" notice before using it against you.

When your report contains errors — studies estimate roughly 1 in 5 consumers has a material error — you can dispute directly with the bureau or the data furnisher. The bureau must investigate within 30 days, contact the furnisher, and delete or correct anything that cannot be verified; if resolved in your favor, the bureau must notify all users who received the report in the past 6 months (2 years for employment). When you're denied credit, insurance, employment, or housing based on your report, you must receive an adverse action notice identifying the reporting agency, the specific reasons for the decision, and your right to a free report and dispute. For identity theft: FACTA (2003) added the right to place fraud alerts (90-day or 7-year) requiring creditors to verify identity before extending credit, and free security freezes (since 2018) that completely block file access until lifted. You're entitled to one free credit report per year from each bureau through AnnualCreditReport.com — free weekly reports, made permanent in 2023, are also available — plus additional free reports when denied credit, when unemployed and job-seeking, when on public assistance, or when you have reason to believe your file is compromised.

How It Affects You

If you're a consumer managing your finances: Go to AnnualCreditReport.com to pull your free weekly credit reports from all three bureaus — Equifax, Experian, and TransUnion. Review them before any major application (mortgage, car loan, apartment, job). The FTC study finding errors in 1 in 5 consumer reports is not a scare tactic — inaccurate information can cost you loan approval or add percentage points to your interest rate. If you find an error, dispute it directly with the bureau using their online portal or by certified mail (keep a paper trail). The bureau has 30 days to investigate, must contact the data furnisher (the bank or collection agency that reported the item), and must delete or correct anything that can't be verified. If your dispute is resolved in your favor, the bureau must notify everyone who received the report in the past 6 months. Most negative information — late payments, collections, charge-offs — must come off your report after 7 years. Bankruptcies fall off after 10 years. Medical collections under $500 were removed from reports as of 2023, and the CFPB's 2024 medical debt rule eliminated most medical debt from credit reports entirely.

If you've been denied credit, a job, housing, or insurance: The entity that used your report to make an adverse decision must give you an adverse action notice with the name of the credit bureau, the specific reasons for the decision (or a code you can look up), and notice that you have the right to a free report and to dispute. Request your free report immediately — you're entitled to it within 60 days of the adverse action notice. Look at what the adverse action notice cited and whether it matches your actual report. If you find errors, dispute them. If the information is accurate but the decision still seems wrong, the Equal Credit Opportunity Act separately prohibits discrimination based on race, sex, national origin, age, or other protected characteristics in credit decisions. For employment adverse actions, the employer must also give you a "pre-adverse action" notice with a copy of the report before making the final decision — giving you an opportunity to dispute.

If you're a victim of identity theft: Act immediately. You can place a fraud alert on your credit files at any one bureau (they're required to notify the others) — lasts 90 days, and requires creditors to take extra steps to verify identity. A 7-year extended fraud alert is available for verified identity theft victims. Even stronger: place a security freeze at each of the three bureaus separately — this completely blocks access to your credit file until you lift it, preventing new accounts from being opened. Security freezes are free since 2018 and can be placed and lifted online at each bureau's website. File an identity theft report with the FTC at IdentityTheft.gov — the report is free, walks you through your recovery steps, and generates a document you can use to block fraudulent information from your credit reports (bureaus must block it within 4 business days).

If you're a lender, employer, landlord, or background screening company: You must have a permissible purpose under 15 U.S.C. § 1681b before accessing a consumer report — and using a report for a purpose other than the one you had is a federal violation. For employment, the requirements are stricter: you need written authorization before pulling the report, you must give the consumer a copy before taking adverse action, and you must give a pre-adverse action notice with the specific reasons before making a final negative employment decision. For tenant screening and credit decisions, you need an adverse action notice after the fact. The CFPB and FTC can impose civil penalties; consumers can also sue for willful violations and recover $100-$1,000 per violation in statutory damages plus punitive damages and attorney fees — making FCRA class actions by consumers common in employment and tenant screening contexts. Check whether your state has additional restrictions: California, Colorado, and Illinois limit credit checks for employment beyond the federal floor.

State Variations

  • Many states have enacted their own credit reporting laws that exceed FCRA protections
  • Several states (California, New York, Colorado) provide additional free credit reports beyond the federal requirement
  • Some states restrict the use of credit reports for employment decisions (California, Colorado, Illinois, others)
  • State security freeze laws preceded and influenced the federal free freeze provision
  • State identity theft laws may provide additional remedies beyond FCRA

Implementing Regulations

  • 12 CFR Part 1022 — Regulation V (Fair Credit Reporting): the CFPB's primary implementing rule for the FCRA, covering accuracy, dispute resolution, consumer disclosures, affiliate marketing, medical information, and risk-based pricing notices. Key provisions:

    • §§ 1022.20-1022.27 — Affiliate marketing opt-out: a company may not use "eligibility information" received from an affiliate to solicit consumers for marketing unless the consumer received a clear written notice of the right to opt out and the opt-out period has run (at least 30 days); opt-out is effective for 5 years and renewable; exceptions for existing customers and prior express consent
    • §§ 1022.30-1022.32 — Medical information restrictions: creditors cannot obtain or use medical information (including debt owed to medical providers) in credit decisions except for specific permitted purposes; consumer reporting agencies cannot share medical information with affiliates for marketing
    • § 1022.38 — Medical debt reporting duty: CRAs may include medical debt in a consumer report furnished to a creditor only if the CRA has reason to believe the creditor intends to use the information for a permissible purpose (not general marketing); 2024 CFPB rulemaking proposed eliminating most medical debt from credit reports
    • §§ 1022.40-1022.43 — Furnisher accuracy requirements: every entity that furnishes consumer information to a CRA must establish and implement reasonable written policies and procedures regarding accuracy and integrity; furnishers must conduct a "reasonable investigation" of direct disputes filed by consumers within 30 days; furnishers must update or delete inaccurate information found through investigation; a furnisher may decline to investigate a dispute only if it determines it is frivolous or irrelevant
    • §§ 1022.70-1022.75 — Risk-based pricing notices: any creditor that uses a consumer report and offers credit at terms materially less favorable than the most favorable terms available must provide a "risk-based pricing notice" disclosing this fact; exceptions include providing a credit score disclosure to all applicants (the "score disclosure exception") and adverse action notices; consumers must receive the notice before consummating the credit transaction
    • § 1022.121 — Active duty alerts: when a service member requests an active duty alert, the CRA must maintain it for 12 months; alerting CRAs must use reasonable procedures to notify third-party CRAs
    • § 1022.123 — Proof of identity for security freezes and fraud alerts: CRAs must develop reasonable requirements for identity verification before placing, lifting, or removing a security freeze or fraud alert
    • §§ 1022.130-1022.137 — Annual file disclosures: nationwide CRAs (Equifax, Experian, TransUnion) must provide one free annual disclosure upon consumer request; the centralized source is AnnualCreditReport.com and (877) 322-8228; specialty CRAs must have a streamlined process; the Covid-19 pandemic prompted the three major bureaus to offer weekly free reports (made permanent in 2023)
    • § 1022.138 — No deceptive marketing of "free" credit reports: websites and services must not use "free credit report" language in a way that is deceptive; the consumer must be clearly directed to the FCRA-mandated free annual report at AnnualCreditReport.com before being offered any paid product
    • § 1022.82 — Address discrepancy duty: when a user of a consumer report receives a notice of address discrepancy from a CRA, the user must implement reasonable policies to form a reasonable belief of the consumer's identity before furnishing information

  • 12 CFR Part 1016 — Regulation P: privacy of consumer financial information, including notice and opt-out requirements for sharing nonpublic personal information under FCRA privacy protections

  • 12 CFR Part 1090 — Defining larger participants in the consumer reporting market for CFPB supervisory authority

  • 16 CFR Part 609 — Free Electronic Credit Monitoring for Active Duty Military: the FTC's implementing regulation for FCRA § 605A(k)(2) (15 U.S.C. § 1681c-1(k)(2)), requiring the three nationwide consumer reporting agencies (Equifax, Experian, TransUnion) to provide a free electronic credit monitoring service to active duty military consumers upon request. The FTC retains enforcement authority for this provision (distinct from CFPB's broader Reg V jurisdiction). Key provisions:

    • § 609.3 — General requirement: nationwide CRAs must provide free electronic credit monitoring; CRAs may condition the service on the consumer providing appropriate proof of identity, contact information (name and email address), and proof of active duty status verified through a DOD-approved method or CRA-approved certification process; the CRA cannot impose any other prerequisite; eligibility extends to National Guard members (10 U.S.C. § 101(c)) in addition to regular active duty service members
    • § 609.4 — 48-hour notice: the monitoring service must alert the consumer within 48 hours of any material addition or modification to the credit file — not just at periodic intervals; material additions include new accounts, new derogatory information, public records, and address changes
    • § 609.5 — Notice contents: each alert must include a hyperlink to the CFPB's FCRA consumer rights summary; when the alert provides access to the consumer's file, the CRA must furnish the complete file contents as of the time of the notification

    Part 609 addresses a documented vulnerability: service members deployed overseas are uniquely susceptible to identity theft and credit fraud because they may be unable to monitor their own credit files for months at a time. The free monitoring requirement (enacted in the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018) ensures that deployed personnel receive real-time alerts to suspicious account activity without incurring commercial monitoring fees.

  • 16 CFR Part 640 — Risk-Based Pricing Notices for Motor Vehicle Dealers: the FTC's implementing regulation for FCRA § 615(h) (15 U.S.C. § 1681m(h)), applying specifically to auto dealers — carved out from CFPB jurisdiction by Dodd-Frank § 1029 (12 U.S.C. § 5519) and therefore regulated by the FTC rather than by CFPB's Reg V (12 CFR Part 1022). When an auto dealer uses a consumer report and offers a consumer credit terms that are materially less favorable than the terms available to a substantial proportion of its other customers, the dealer must send a risk-based pricing notice before the transaction closes:

    • § 640.3 — General requirement: the dealer compares the annual percentage rate (or other material terms) offered to the consumer against the terms offered to a substantial proportion of consumers for the same type of credit product; if the consumer receives worse terms, a notice is required before consummating the transaction; the dealer may also satisfy the requirement by providing credit score disclosures to all applicants (the "score disclosure exception")
    • § 640.4 — Notice contents: the risk-based pricing notice must explain that the consumer's terms were based on a consumer report, identify the CRA(s) used, state that the consumer's terms may be less favorable than those available to consumers with better credit histories, and inform the consumer of the right to obtain a free credit report from the identified CRA within 60 days of receiving the notice
    • § 640.5 — Exception for specific terms: no notice is required if the consumer applied for specific material terms (a specific interest rate) and received exactly those terms — the notice requirement applies when the dealer sets the rate after reviewing the credit report, not when the rate was negotiated upfront; assignees who purchase the credit contract after consummation are also not subject to the notice requirement

    Auto dealer risk-based pricing is a significant consumer finance issue because auto loans are among the largest non-mortgage consumer credit markets and because the historical pattern of dealer discretionary markup — adding basis points above the captive finance company's "buy rate" at the dealer's discretion — was found to correlate with race and ethnicity in multiple enforcement actions. Part 640 gives consumers the information to recognize when their credit file determined their loan terms and the right to check what that file contained. Recent rulemakings: 75 FR 2769 (January 2010) — original joint FTC/Federal Reserve rule; 84 FR 23473 (May 2019) — technical amendments following Dodd-Frank jurisdiction transfer from the Fed to the FTC for motor vehicle dealers.

  • 16 CFR Part 682 — Disposal of Consumer Report Information and Records: the FTC's implementing regulation for Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) — the rule requiring businesses to take reasonable measures to protect against unauthorized access to consumer report information when disposing of it. The identity theft prevention rationale: discarded paper documents, unwiped hard drives, and improperly deleted electronic files containing consumer report data are a primary vector for identity thieves who "dumpster dive" or access e-waste. Applies to any person or entity under FTC jurisdiction that maintains or possesses consumer information for a business purpose — not just financial institutions, but any business that pulls credit reports or receives data derived from credit reports. Key provisions:

    • § 682.3 — Standard for proper disposal: any person who maintains consumer information (any record about an individual that is a consumer report or derived from one) must dispose of it by taking reasonable measures to protect against unauthorized access in connection with disposal; the rule is performance-based — no specific method is mandated, but examples of reasonable measures include: (a) paper documents: burning, pulverizing, or shredding so the information cannot be reconstructed; (b) electronic media: destroying or erasing so the information cannot be retrieved or reconstructed; (c) contracting with a disposal firm: hiring a document disposal company (shredding service, certified e-waste recycler) that certifies it will maintain appropriate disposal procedures and enter into a written contract attesting to compliance
    • § 682.4 — Relation to other laws: the disposal rule does not require a person to maintain or destroy any record that is not required by other law; if another statute requires that a consumer report-derived record be retained for a minimum period (e.g., employment records under EEOC regulations, lending records under ECOA), the disposal rule does not override that retention obligation; once the retention period has passed, however, the disposal standard applies

    Part 682's practical scope is broader than many businesses recognize. Any entity that pulls credit reports for employment screening, tenant screening, or vendor background checks possesses consumer information subject to the disposal rule — not just banks and credit unions. An HR department that throws away paper employment background check reports without shredding, or an IT department that disposes of computers without wiping drives that stored applicant credit data, violates this rule. The FTC enforces Part 682 as an unfair or deceptive act through administrative proceedings and federal court injunctions. Effective date: June 1, 2005. No major Part 682 amendments since promulgation — the performance-based standard has remained flexible enough to accommodate new disposal technologies (solid-state drive wiping, degaussing, physical destruction).

  • 16 CFR Part 680 (FTC Affiliate Marketing — Motor Vehicle Dealers) — the FTC's implementation of FCRA § 624 (15 U.S.C. § 1681s-3), specifically for motor vehicle dealers carved out from CFPB jurisdiction by Dodd-Frank § 1029 (12 U.S.C. § 5519); the CFPB's parallel rule (12 CFR Part 1022, §§ 1022.20–1022.27) covers all other covered entities. Section 624 prohibits affiliates from using consumer "eligibility information" — transaction, experience, and other information shared within a corporate family — to make marketing solicitations unless the consumer first received a clear, conspicuous notice of the right to opt out and did not opt out. Key provisions:

    • § 680.21 — Core opt-out requirement: an auto dealer may not use eligibility information received from an affiliate to make solicitations to a consumer unless the consumer received a clear written notice disclosing that the dealer may use affiliate-shared information for marketing, was given a reasonable opportunity (at least 30 days from the notice) to opt out, and has not opted out; eligibility information includes credit application data, transaction history, and other consumer data obtained in connection with financial products or services; exceptions apply when the consumer has an existing relationship with the soliciting entity or has given prior express consent
    • § 680.22 — Scope and duration: an opt-out covers all affiliates identified in the notice and remains effective for at least 5 years; the consumer's opt-out covers solicitations from all affiliates named in the notice, not just the one that sent it; a consumer who opens a new account during an active opt-out period does not restart the opt-out clock — the existing election remains in place until the 5-year period expires
    • § 680.23 — Notice contents: the opt-out notice must clearly and conspicuously disclose the name(s) of the affiliates providing the notice; a list of the affiliates or types of affiliates whose use of eligibility information is restricted; a description of the eligibility information that may be used; and a reasonable and simple opt-out method (check-off box, toll-free number, return form, or electronic mechanism); the notice may be consolidated with any GLB privacy notice or other FCRA notices delivered at the same time
    • §§ 680.24–680.26 — Reasonable opportunity and delivery: consumers must have at least 30 days to respond after receiving the notice; delivery is satisfied by mail, hand-delivery, or electronic means where the consumer has agreed to receive electronic disclosures; notices posted on a website only satisfy the requirement if the consumer is required to acknowledge receipt; oral opt-out methods alone are insufficient — the dealer must provide a written or electronic method
    • § 680.27 — Renewal: after the 5-year opt-out period expires, the dealer must provide a renewal notice before making any new affiliate-sourced solicitations to a previously opted-out consumer; the renewal notice must comply with the same requirements as the initial notice and give the consumer another 5-year opt-out right

    Part 680 is narrow in scope — it applies only to auto dealers, which Dodd-Frank specifically exempted from CFPB authority in deference to the auto dealer lobby — but the underlying FCRA §624 right operates identically for all covered entities under CFPB's Reg V. The practical impact for auto dealers: any shared customer database linking a dealership's financing affiliate (e.g., captive auto finance company) with its sales operation for marketing purposes triggers the opt-out requirement. Dealers who pull a customer's credit for financing and then use that credit information to generate marketing lists for related financial products without opt-out compliance face FTC enforcement. Original rulemaking: 72 FR 61455 (October 30, 2007) — joint rule by FTC and other banking agencies implementing FACTA §214; 84 FR 23473 (May 2019) — technical amendments following Dodd-Frank jurisdiction transfer.

  • 17 CFR Part 162 (CFTC — FCRA Consumer Information Protections for Commodity Firms) — the Commodity Futures Trading Commission's implementation of FCRA consumer protection rules for futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants, and swap dealers — the commodity and derivatives industry counterpart to CFPB's Reg V (12 CFR 1022) and FTC's parallel rules. Three subparts:

    • Subpart A — Affiliate Marketing (§§ 162.3–162.8): mirrors CFPB Reg V's affiliate marketing rule — a commodity firm may not use eligibility information from an affiliate to solicit consumers for marketing unless the consumer received a clear, conspicuous written notice and had a reasonable opportunity (at least 30 days) to opt out; opt-out covers all named affiliates and remains effective for 5 years; the notice may be consolidated with any other FCRA notice delivered at the same time
    • Subpart B — Disposal Rules (§ 162.21): commodity firms that maintain consumer information for a business purpose must adopt reasonable written policies addressing administrative, technical, and physical safeguards; proper disposal means shredding, burning, pulverizing, or electronically wiping so consumer data cannot be read or reconstructed — or contracting with a certified disposal firm; the "reasonable measures" standard is the same performance-based approach as 16 CFR Part 682 (FTC disposal rule)
    • Subpart C — Identity Theft Red Flags (§§ 162.30–162.32): futures industry entities that function as financial institutions or creditors with covered accounts must implement written identity theft prevention programs — detecting "red flags" (patterns, practices, or activities indicating possible identity theft), responding appropriately, and periodically updating the program; card issuers must validate any address change followed within a short period by a request for an additional or replacement card

    Part 162 applies regardless of whether a firm is required to register with the CFTC — the rules bind any futures commission merchant, swap dealer, or commodity trading advisor that holds consumer information. Practically, this means swap dealers and commodity trading advisors that maintain customer credit or personal financial information (common in structured products and managed accounts) must meet FCRA data handling obligations even if they are not classified as "financial institutions" under Gramm-Leach-Bliley. Recent rulemakings: 66 FR 21252 (April 2001) — original rule; 89 FR 71820 (September 2024) — technical amendments updating CFTC references.

  • 16 CFR Part 642 (FTC Prescreen Opt-Out Notice — Motor Vehicle Dealers) — the FTC's implementing regulation for FCRA § 615(d) (15 U.S.C. § 1681m(d)) as amended by FACTA § 213(a), applying specifically to auto dealers (carved out from CFPB jurisdiction by Dodd-Frank § 1029). When a dealer obtains a prescreened consumer report from a CRA to make unsolicited credit or insurance offers, federal law requires the dealer to include a clear notice of the consumer's right to opt out of receiving future prescreened offers. Key provisions:

    • § 642.3 — Short notice: any prescreened solicitation mailing or communication must prominently include a brief statement — no longer than 100 words — telling the consumer that the offer was based on information in their credit report and directing them to call 1-888-5-OPTOUT (the nationwide opt-out number) or visit OptOutPrescreen.com to be removed from prescreened offer lists; the short notice must appear on the front page of any written solicitation
    • § 642.4 — Long notice: the solicitation must also include a longer disclosure (no word limit) that explains the prescreening process, identifies the CRAs that supplied the consumer's file to the dealer, describes what information was used to select the consumer, and informs the consumer of their right to opt out of prescreened lists for five years (or permanently) through the opt-out system; the long notice may appear elsewhere in the mailing as long as it is clear and conspicuous
    • § 642.5 — Relation to other requirements: the Part 642 opt-out notice obligation is independent of (and does not satisfy) the risk-based pricing notice under Part 640 or the affiliate marketing opt-out under Part 680; dealers that do all three — pull prescreened lists, use credit data for pricing, and share consumer data within an affiliate group — must comply with all three Parts separately

    The prescreening opt-out right is significant because it limits the "invisible" secondary market for consumer credit data. When a consumer calls 1-888-5-OPTOUT, they stop all four major CRAs (Equifax, Experian, TransUnion, and Innovis) from sharing their contact information with creditors or insurers for unsolicited pre-approved offers — without any knowledge of which specific dealers or lenders were planning to target them. Recent rulemaking: 86 FR 50850 (September 10, 2021) — technical updates conforming Part 642 to Dodd-Frank's transfer of auto-dealer FCRA jurisdiction from the Federal Reserve to the FTC.

  • 16 CFR Part 660 (FTC Furnisher Accuracy Duties — Motor Vehicle Dealers) — the FTC's implementing regulation for FCRA § 623 (15 U.S.C. § 1681s-2), specifically for auto dealers furnishing consumer credit information to CRAs — the same statutory duties that CFPB implements for all other furnishers under 12 CFR Part 1022 (§§ 1022.40–1022.43). An auto dealer that reports a consumer's payment history, account balance, or delinquency status to Equifax, Experian, or TransUnion is a "furnisher" and must meet these obligations. Key provisions:

    • § 660.3 — Written policies for accuracy and integrity: every dealer that furnishes consumer information to a CRA must establish, implement, and update reasonable written policies and procedures regarding the accuracy and integrity of that information; the policies must address: how the dealer ensures data accuracy before furnishing; how the dealer corrects and updates information it learns is inaccurate; what protocols govern the furnishing of information about accounts discharged in bankruptcy, accounts sold to debt buyers, or accounts in active dispute; the FTC does not mandate specific procedures — the standard is "reasonable" given the nature, size, complexity, and scope of the dealer's activities
    • § 660.4 — Investigation of direct disputes: when a consumer disputes the accuracy of information that the dealer furnished to a CRA by contacting the dealer directly (rather than going through the CRA's dispute system), the dealer must (a) acknowledge receipt of the dispute within 5 business days; (b) conduct a reasonable investigation of the disputed information; (c) review all relevant information provided by the consumer; (d) complete the investigation and report results to the consumer within 30 days (extended to 45 days if the consumer provides additional information); (e) notify the relevant CRAs of corrections if the dispute is found valid; a dealer may decline to investigate only if it determines the dispute is frivolous or irrelevant (e.g., the consumer is disputing a different entity's account or providing no specific basis)

    Part 660 closes a significant gap in the consumer protection architecture: the dealer who originally reported a derogatory item to a credit bureau has special knowledge about the underlying transaction that the CRA does not possess. When a consumer disputes an auto loan account directly with the reporting dealer — for instance, claiming a payment was recorded as late when it was timely — the dealer must investigate its own records, not just defer to whatever it previously reported. This "furnisher direct dispute" right (codified by FACTA § 312) gives consumers a second avenue when the CRA's own investigation fails to resolve an inaccuracy. Recent rulemaking: 86 FR 51821 (September 16, 2021) — technical conforming amendments after Dodd-Frank jurisdiction transfer.

Pending Legislation

  • SJRES 155 — Disapprove CFPB rule on FCRA preemption. Status: Introduced.
  • HR 8141 — Require resellers to follow maximum accuracy procedures. Status: Introduced.
  • SJRES 144 — Nullify CFPB FCRA preemption rule. Status: Introduced.
  • SJRES 145 — Block withdrawal of permissible-purposes rule. Status: Introduced.
  • SJRES 127 — Block withdrawal of file disclosure rule. Status: Introduced.
  • SJRES 129 — Nullify withdrawal of limited preemption of state laws. Status: Introduced.
  • SJRES 140 — Block withdrawal of name-only matching procedures. Status: Introduced.
  • SJRES 133 — Block withdrawal of background-screening rule. Status: Introduced.
  • HR 5923 — Broaden FCRA credit-monitoring to all uniformed services members. Status: Introduced.

Recent Developments

  • Free weekly credit reports were made permanently available in 2023, dramatically increasing consumer access
  • CFPB has increased enforcement against credit bureaus and data furnishers for dispute handling failures
  • Medical debt reporting has changed significantly — medical collections under $500 are no longer reported; paid medical debt is removed from reports
  • Credit scoring models are evolving — FICO 10, VantageScore 4.0, and alternative data (rent payments, utility payments) are expanding credit access
  • The Equifax data breach (2017, affecting 147 million consumers) continues to reshape data security expectations for consumer reporting agencies
  • CFPB under Trump dramatically scaled back FCRA enforcement in 2025: Acting Director Russell Vought dropped several pending enforcement actions against consumer reporting agencies and signaled the bureau would focus on deregulation; Congress debated whether to further limit CFPB authority under OBBBA's financial services title.
  • Medical debt credit reporting rule vacated: a January 2025 CFPB rule prohibiting medical debt on credit reports was finalized in Biden's final days; the Eastern District of Texas vacated the rule on July 11, 2025, finding the CFPB lacked authority under the FCRA to broadly prohibit medical debt reporting. The vacatur affected an estimated 15 million Americans with medical debt on their reports.
  • FCRA and AI credit decisions: the FTC issued guidance in 2023-2024 classifying AI-based credit screening tools as "consumer reports" subject to FCRA adverse action notice requirements; the Trump FTC under Chair Ferguson signaled lighter-touch AI oversight, but the underlying statutory requirements remain in force.

At My Address

See how Fair Credit Reporting Act (FCRA) plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address