Compliance Blog

Legal, Regulatory and Practical Considerations for Sharing Credit Reports with Credit Applicants

Good morning Credit Union Compliance World.

When a member (or potential member) applies for a loan, it is not uncommon for the applicant to request a copy of the credit report that was pulled in connection with the application. From the member's perspective, it's something they've paid for - either literally, or because the credit inquiry will hit their credit report and possibly harm their scores.

Drew Carey

Whether the credit union can provide that report is a common question, and you may not be surprised that neither the FCRA nor Regulation V provides clear answers.

What the FCRA says…

With regard to credit reports pulled in connection with credit applications, the FCRA does not explicitly prohibit or permit a credit union to share the credit report with the applicant. Prior to the rulemaking authority for the FCRA being ported to the CFPB, the Federal Trade Commission, release its 40 Years Experience with the Fair Credit Reporting Act guidance, a summary of the FTC's interpretations on the law. This guidance states:


The FCRA does not prohibit a consumer report user from providing a copy of the report, or otherwise disclosing it or any item or items of information in it (or any score based on the information), to the consumer who is the subject of the report.106 See also section 607(c)." 40 Years guidance, p. 42 (citing FTC interpretations at 16 C.F.R. Part 600, App.Section 604―General, comment 3 (2005)).

While the FTC interpretations indicated that the FCRA does not prohibit the credit union from providing a copy of the report, it also does not require it. While this guidance is non-binding on the CFPB, in the absence of clarification by the Bureau, it is instructive.

However, this isn't the end of the story. Subsection 607(c) of the FCRA specifies that a credit reporting agency can not prohibit a credit union from disclosing the report with an applicant where an adverse action was taken:

"§ 607. Compliance procedures [15 U.S.C. § 1681e]


(c) Disclosure of consumer reports by users allowed. A consumer reporting agency may not prohibit a user of a consumer report furnished by the agency on a consumer from disclosing the contents of the report to the consumer, if adverse action against the consumer has been taken by the user based in whole or in part on the report." FCRA, § 607(c).

While a copy of the report must be provided in connection adverse actions regarding employment, that is not true for adverse credit decisions. SeeFCRA, § 615(a).

So, a CRA can't prohibit the credit union from disclosing the contents of the report with the applicant where they were denied. But, the FCRA does not state what "disclosing the contents" means or whether the CRAs can prohibit sharing a report with approved applicants. While the FTC's guidance states that credit unions are not prohibited from providing a copy of the report to applicants or disclosing the contents to approved applicants, the FCRA itself seems to leave the door open for the CRAs to set boundaries on these kinds of sharing contractually.

What credit unions might consider…

So we know that the FCRA does not prohibit credit unions from sharing the report and we know that the CRAs cannot prohibit credit unions from disclosing the contents of the report the applicants where an adverse action has been taken. That leaves a lot of grey area. Here are a couple of other considerations for credit unions trying to decide how to respond to these requests by consumers:

Contractual Considerations with Your CRA

There is no limitation in the FCRA on the CRAs' ability to contractually prohibit a credit union from sharing a credit report with approved applicants. Further, as the FCRA did not specify what "disclosing the contents of a report," means, it's possible that a CRA may define how the credit union may disclose the contents in its agreements, such as allowing the consumer to view but not receive a copy of the report. Credit unions considering sharing reports with applicants should consult their agreements with their CRAs to determine whether it is prohibited from sharing reports with approved applicants, and if the method of disclosing the contents of the report is specified by agreement.

Identity Theft and Liability Considerations

The credit union might also consider whether it is sure that the applicant is who they say they are, especially if an application was made over the phone or the internet. Providing a credit report without seeing an applicant in-person creates a risk of releasing a credit report to an applicant who is pretending to be someone else. Without confirming the applicant's identity, the credit union could expose itself to liability concerning the privacy of and harm to the person whose identity is being stolen and misused. What information or procedures are necessary for the credit union to feel comfortable releasing the credit report is a risk-based issue for the credit union to determine.

Further, a credit union might consider any possible liability that arises if the member accepts a copy of the report and then loses it. If the report, with the credit union's subscriber code, is used to steal the identity of the member, a question could arise as to whether it got to the fraudster through the credit union or through the member's own negligence. Some financial institutions have suggested redacting sensitive information like social security numbers and the subscriber code before letting the report leave the building for this reason.

Availability of Free Reports

Sections 609 and 610 of the FCRA explicitly require that the CRAs provide free credit reports to consumers, along with certain disclosures regarding their rights and the proper procedures for disputing information in their credit reports. The disclosures and reports are specifically formatted to be easier for consumers to understand and act on. Many credit unions to try steer members requesting a copy of their report to these free reports as they are intended for consumer use and better accomplish the policy goals of the FCRA.

About the Author

Elizabeth M. Young LaBerge, NCCO, NCRM, CIPP/US, Senior Regulatory Counsel, NAFCU

Elizabeth M. Young LaBerge, NCCO, NCRM, CIPP/US, Senior Regulatory Compliance CounselElizabeth M. Young LaBerge, NCCO, NCRM, CIPP/US,  joined NAFCU as regulatory compliance counsel in July 2015 and was named Senior Regulatory Compliance Counsel in July 2016.

Read full bio