By Victoria E. Stephen
The Fair Credit Reporting Act, or FCRA for short, basically regulates the furnishing and collecting of credit information and imposes certain disclosure requirements in connection with accessing credit reports. The FCRA itself is a statute and only a few parts of the statute have implementing regulations, so it can be particularly tricky to interpret at times.
One of the most common questions we get on the Compliance Alliance Hotline is whether the FCRA applies to commercial loans. Unfortunately, there’s not a straightforward answer to this like there is for Regulations X or Z. Although the FCRA is generally limited to consumer purpose transactions, it also applies in some cases to commercial purpose transactions involving a consumer.
You might be asking, if there is a “consumer,” how can this possibly be a commercial loan? Well, the answer is that the statute defines “consumer” very simply—just as an “individual”:
- 603. Definitions; rules of construction [15 U.S.C. § 1681a]
(c) The term “consumer” means an individual.
As you can see, there’s no requirement that the individual is obtaining a product or service specifically for a consumer purpose. Likewise, the term “consumer report” includes other purposes besides just personal, family, or household purposes:
(d) Consumer Report (1) In general. The term “consumer report” means any written, oral, or other communication…used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for
(A) credit or insurance to be used primarily for personal, family, or household purposes;
(B) employment purposes; or
(C) any other purpose authorized under section 604 [§ 1681b].
Does this mean that the bank has to have a permissible purpose before pulling a credit report on an individual guarantor for a loan to a business entity? The answer to this is conclusively ‘yes’—there always has to be some permissible purpose before pulling any consumer report on any individual. The question is whether the application itself is enough of a permissible purpose, since the individual is just a guarantor. For this, we turn to the Federal Trade Commission’s (FTC) “Tatelbaum Opinion” which ultimately concludes that if an individual has any kind of personal liability on a business loan, including just a guarantee, there would be permissible purpose under the FCRA by means of the application for credit.
What about during the term of the loan though? Many banks regularly pull consumer reports on individuals throughout the term of the loan, and there’s a question as to whether the need to review itself constitutes a permissible purpose. In the “Gowen Opinion,” the FTC concludes that in order to have valid permissible purpose, the bank would need to have some authority to change the terms of the loan as a result of the review; for example, if the bank had the authority to terminate or freeze the loan if the report contained certain negative information. On the other hand, if the bank is just “reviewing” the report so as to potentially offer the borrower different terms, then it would generally not be allowed, “unless the contract expressly provides for such action.”
As a caveat, however, these opinions are only informal guidance that are not binding on the FTC, and further, interpretive authority for the FCRA technically transferred to the Consumer Financial Protection Bureau (CFPB) pursuant to the Dodd-Frank Act. While plenty of banks do rely on them, we would still recommend getting written authorization from the individual to pull credit. In fact, we’d recommend this in every case, for any consumer report pulled. This way, the bank can rely on that written authorization as valid permissible purpose to pull the consumer report, rather than having to justify that one of the other permissible purposes apply. Said another way, the bank always has a permissible purpose to obtain a consumer report if the individual authorizes this in writing. (For reference, the full list of permissible purposes can be found in § 604(a) of the FCRA).
Besides permissible purpose questions, the other common question we get on the Hotline is whether an adverse action notice has to be provided in a commercial context. The general rule in the FCRA is that if the bank obtains a consumer report and takes adverse action based (in whole or in part) on any information in the report, it must give the consumer an adverse action notice. The catch here is how the FCRA defines an “adverse action.” The definition is based on Regulation B’s (12 CFR § 1002) definition of “adverse action,” which does not include guarantors:
…Under section 701(d)(6) of the ECOA and § [1002.2(c)] of Regulation B, only an applicant can experience adverse action. Further, a guarantor or co-signer is not deemed an applicant under § [1002.2(e)]. …
Luckily, the FTC clarifies this in the “Stinneford Opinion.” If the consumer is only a guarantor (or acting in a similar capacity in which she or he is only secondarily liable on the business-purpose loan), then an adverse action notice would not be required to be provided to the guarantor. This is true even if the application is being denied based on information from the consumer report of the guarantor. On the other hand, if the individual is a co-borrower (or acting in a similar capacity in which she or he is primarily liable on the loan), then a FCRA adverse action notice would be required.
If trying to figure out the difference between the two sounds like way too much work, the bank is welcome to provide an adverse action notice in both cases. Note, however, that any time the bank provides multiple FCRA adverse action notices, each individual should receive a separate adverse action notice with the credit score disclosures associated with just her or his own report. In other words, the individual should never receive the credit score information of another co-applicant.
Although the focus of this article is the FCRA, we always get a follow-up question regarding whether a Reg. B adverse action notice is required, even if a FCRA adverse action is not. According to Reg. B, the bank may provide the adverse action notice only to the primary applicant, if there is one, but it also does not prohibit the bank from providing a notice to each applicant if it chooses.
As always, Compliance Alliance and TBA members are welcome to contact us with any other questions by email at firstname.lastname@example.org, or by calling 888-353-3933, or chatting in on the website. Non-members should direct inquiries to the Membership Team at email@example.com