I'm getting ready to audit FCRA including the provisions of the FACT Act (only those provisions in which the rules are final). I'm just wondering if anyone knows of any audit procedures for the FACT Act provisions? I'm not too sure where to start looking. Thanks.

I cannot take credit for this, but I can't remember who gave it to me... Put it in a spreadsheet or word, it is a start.


a. Obtaining Consumer Reports Only for Permissible Purposes Section 604
Determine if consumer reports are obtained only as permitted.
1) Review written procedures and/or interview applicable personnel to determine that consumer reports are obtained only for permissible purposes.
2) For a sample of recently obtained consumer reports, determine if the reports were obtained for a permissible purpose.
b. Pre-Approved and Pre-Selected Offers Based on Information Obtained from Consumer Reports Section 604
Determine if pre-approved or pre-selected offers in which a consumer report is obtained in connection with a transaction not initiated by the consumer are in compliance.
1) Review written procedures and/or interview applicable personnel to determine that only permitted information received from the consumer reporting agency (i.e., name and address of consumer, an identifier not unique to the consumer that is used by the bank solely for verifying the identity of the consumer, and other information pertaining to the consumer that does not identify the relationship or experience of the consumer with respect to a particular creditor or entity).
2) Review written procedures and/or interview applicable personnel to determine if written solicitations are accompanied by the layered FCRA disclosure that includes both the long and short notice mandated by the FCRA and that such notices comply with formatting and content requirements of the FCRA.
3) Review written procedures and/or interview applicable personnel to determine if the bank maintains a file, for three years, of the following information:
• Criteria used to select consumers to receive the offer,
• All criteria bearing on creditworthiness that are the basis for determining whether or not to extend credit under the offer, and
• Any requirement to furnish collateral as a condition of the offer.
4) Review written procedures and/or interview applicable personnel to determine if the bank honors the terms of the offer to consumers who had been determined to meet the criteria to receive the offer, unless the consumer falls under one of the following exceptions, in which case, credit does not have to be extended:
• Based on information provided by the consumer in his/her response to the offer, it is determined that the consumer does not meet the pre-determined criteria,
• Upon verification of information in the consumer’s response, it is determined the consumer does not meet the criteria,
• Based on information in the consumer’s response, a consumer report or other information bearing on creditworthiness, the bank determines that the consumer does not continue to meet the criteria, or
• The consumer does not meet the specific pre-established collateral requirements of the offer.
5) For a recent pre-approved offer, obtain the file documenting the offer, a sample of the notifications provided to consumers selected for the offer and a sample of responses to the offer and determine if such pre-approved offer was in compliance.
c. Responding to Document Requests on Transactions Resulting from ID Theft Section 609e
Determine that documents evidencing transactions alleged to be the result of ID Theft are provided without charge to the victim within 30 days of receiving the request.
1) Review written procedures and/or interview applicable personnel to determine that document requests are fulfilled after verifying the victim’s identity and within the regulatory timeframe.
Review a sample of document requests to ensure the requests are fulfilled in compliance with the FCRA.
d. Notification Upon Adverse Action Resulting from Consumer Reports Obtained at Times Other than Application for Credit Section 615
Determine that notification of adverse action was provided as required for adverse action taken based on consumer reports, data from unaffiliated third parties (only with respect to consumer credit transactions) or from an affiliate that was obtained other than in connection with an application for credit (e.g., upon the review of an existing account).
1) Review written procedures and/or interview applicable personnel to determine if notifications are provided as required upon adverse action and the notifications contain the following information:
• The adverse action,
• The name, address, and telephone number of the consumer reporting agency from whom the consumer report was obtained (the telephone number must be a toll-free number if the agency maintains files on a nationwide basis),
• A statement that the agency did not make the decision to take adverse action and is unable to provide the specific reasons for the action,
• A statement that the consumer has a right to receive a free copy of his/her consumer report from the agency, provided they request such within sixty days of receipt of the notice of adverse action,
• A statement that the consumer has the right to dispute the accuracy or completeness of information in the report,
• For consumer credit transactions in which adverse action was taken based on information from an unaffiliated third party, the fact that such information was used and that the consumer has the right to request obtain the nature of such information so long as he/she does so within sixty days of receipt of the adverse action notice, and
• For instances in which information obtained from an affiliate resulted in adverse action, the fact such information was obtained from an affiliate and that the consumer has the right to request the nature of such information provided he/she does so within sixty days of receipt of the adverse action notice.
2) For a sample of instances in which adverse action was taken, determine if notification was provided as required.
e. Accuracy of Data Reported to Consumer Reporting Agencies Section 623(a)(1)
Determine that data reported to consumer reporting agencies is accurate and that the bank does not have a reasonable cause to believe that information reported in inaccurate.
1) Review written procedures and/or interview applicable personnel to determine if there are controls in place to ensure the accuracy of data reported, and that inaccurate data is not reported (including instances in which the consumer has notified the bank of the inaccuracy of data previously reported).
2) For a sample of data recently reported to a consumer reporting agency, verify the accuracy of such information to bank records.
f. Reporting of Corrected Information to Consumer Reporting Agencies Section 623(a)(2) & (8)
For instances in which the bank determines that previously reported data is inaccurate or incomplete, determine if the bank, as required, notifies the consumer reporting agency of such, provides corrected or additional information and does not continue to report inaccurate or incomplete information.
1) Review written procedures and/or interview applicable personnel to determine if controls are in place to ensure reporting errors are promptly corrected and consumer reporting agencies are notified of such as required.
2) For a sample of instances in which the bank has determined that inaccurate or incomplete data had been reported that corrected or additional information is promptly reported to all consumer reporting agencies to which such data had previously been reported, and that future reports are accurate and complete.
g. Resolution of Disputes of Data Reported to Consumer Reporting Agencies Section 623(a)(2) & (8)
Determine if allegations received from consumers or consumer reporting agencies of erroneous or incomplete data are resolved as required.
1) Review written procedures and/or interview applicable personnel to determine if notices of disputes received from consumer reporting agencies are resolved as required.
2) Obtain a sample of recent notifications from consumers and consumer reporting agencies and determine the following:
• The allegations were investigated,
• All relevant information provided by the consumer/consumer reporting agency was reviewed,
• The results of the investigation were reported to the consumer and the consumer reporting agencies within the prescribed time limits, and
• If the allegations were valid, that the results of the investigation were also reported to all agencies to which the erroneous or incomplete information had previously been provided.
g. Reporting of Data in Dispute Section 623(a)(3)
For those instances in which the consumer disputes the accuracy or completeness of data, determine if notice of the disputes included with information reported to consumer reporting agencies or if such information is no longer reported.
1) Review written procedures and/or interview applicable personnel to determine if notice of dispute is included with any information alleged to be in error or incomplete as required.
2) For a sample of allegations of inaccurate or incomplete information, determine if notice of the dispute was included in any reports of such information to consumer reporting agencies.

h. Reporting of Voluntarily Closed Accounts Section 623(a)(4)
Determine if the voluntary closing of accounts is reported to consumer reporting agencies as required.
1) Review written procedures and/or interview applicable personnel to determine if the voluntary closing of accounts is reported as required.
2) For a sample of accounts voluntarily closed by the consumer, determine if such closings were reported to consumer reporting agencies in connection with the information regularly furnished to the agencies.
i. Reporting of Date of Commencement of Delinquency Relative to Accounts Placed for Collection, Charged to Profit or Loss or Subject to Similar Action Section 623(a)(5)
For accounts reported to a consumer reporting agency as placed for collection, charged to profit and loss or any similar action, determine if the month and year of commencement of the delinquency immediately preceding such action was reported as required.
1) Review written procedures and/or interview applicable personnel to determine if the month and year of the commencement of delinquency for accounts placed for collection, charged to profit or loss, reported as repossession, etc. are reported to consumer reporting agencies within ninety days of the reports of the collection, etc. action, as required.
2) For a sample of accounts reported as in collection, charged off, repossessed, etc., determine if the commencement of the immediately prior delinquency was reported as required (both as to accuracy of such date and the timeliness of such reporting).

j. Duties of Furnishers upon Notice of Identity Theft Section 623(a)(6)
Determine whether the bank has reasonable procedures to prevent refurnishing information alleged to be the result of ID Theft.
1) Review written procedures and/or interview applicable personnel to determine if future credit bureau reporting is blocked upon notification from a credit reporting agency that the subject account is the result of ID Theft.
2) For a sample of accounts reported as blocked by a credit reporting agency ensure that the bank is not reporting information on the subject account to credit reporting agencies.
k. Negative Information Notice Section 623(a)(7)
Determine whether customers are provided a disclosure that credit information may be reported to credit reporting agencies.
1) Review written procedures and/or interview applicable personnel to determine if customers receive the required notice of negative information.
2) For a sample of accounts ensure the disclosure was provided and complies with FCRA content and timing requirements.

And might I give you a pat on the back for not saying that you were going to audit FACTA. I see so many with a focus only on the changes, and there is so much more in the law this was added to, the FCRA.

Thank you, thank you - to you and whoever gave this information to you. I am starting a FCRA review in 3 weeks and this information gave me a jump start - just when I really needed it. I love BOLers!