Monday, November 25, 2024

August 2011 Legal Briefs

By Mary Beth Guard

  • CFPB Powers Up
  • SAFE Registration Deadline Passes
  • Check Your Email Signature Line
  • Change Your AAN Address
  • Updated Authentication Guidance Issued
  • Risk Management on Prepaid Cards
  • Debit Card Interchange Fees
  • RESPA Reg Clarified
  • Reg B/FCRA Notice Change
  • Changes to the Risk-Based Pricing Notice

 

By Mary Beth Guard

CFPB Powers Up

July 21, 2011, one year after the Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law, the so-called “transfer date” arrived. That is the date when certain powers and authority were transferred to the new Consumer Financial Protection Bureau. For months, under the leadership of Elizabeth Warren, who had been appointed Assistant to the President and Special Advisor to the Secretary of the Treasury on the CFPB, the Bureau had been gearing up, maintaining a frequently updated website to allow interested parties to peek at what was going on behind the scenes.

Warren was a controversial figure and the prospects of her confirmation, if nominated as director, were uncertain.

From what we had seen, however, Warren seemed to be willing to listen to banker feedback and factor it into decision making. The Bureau had a clear direction and the quick pace of its development was evident from its website. After guiding the Bureau through its launch, Warren returned to Harvard Law School to teach, the President designated former Ohio attorney general Richard Cordray, who was CFPB’s enforcement chief, as his nominee for director of the Bureau, and Raj Date began running daily operations, according to a July 26

announcement.
From what we can tell, the result is chaos. We referred a consumer who had an issue relating to the Servicemembers Civil Relief Act to the Bureau’s hotline and told her to ask for the Office of Servicemember Affairs. She called back to let us know they said they didn’t know what she was talking about. Important information on the Bureau’s website hasn’t been updated. If you only read it, you would believe Warren was still in charge. As of

August 5, 2011, it still shows her bio, her calendar, and other outdated information.
More disturbing is the fact that at least some of the Bureau personnel don’t understand the basic types of financial institutions, their charters, their regulators. A banker told us about utilizing the Bureau’s complaint submission process to lodge a credit card-related complaint against a state-chartered nonmember bank. The complaint ended up being sent by the Bureau to the Department of Justice and the Federal Reserve Board!
Apparently, credit card complaints are the Bureau’s biggest hot button, as evidenced by its special online form for that type of complaint. Combined Truth in Lending and RESPA disclosures are also the focus of attention, despite the fact that the radically revised forms under RESPA for the Good Faith Estimate and HUD-1 took effect less than two short years ago at a staggering cost to lenders from training, software modifications and other change management-related expenses.

The Bureau’s most inexplicable action, however, came when it promulgated a new rule and called it Regulation D. Reg D? Financial institutions already have a Reg D to comply with. It’s a Federal Reserve rule and it deals with reserve requirements and lays out the parameters for different types of accounts, such as NOW accounts, MMDAs, savings accounts. If you are a new entity, as the Bureau is, and you’re going to adopt rules, why would you adopt a naming convention that already exists within another agency’s domain? And if you’re going to do alphabet regs, why would you start with D? What happened to A, B, and C? Lest you think that D happened to go with the subject matter, think again. The CFPB’s Reg D deals with Alternative Mortgage Transaction Parity. Well, kiss my grits.
Why should it concern you that the Bureau is languishing without strong and knowledgeable leadership? Because, subject to certain limitations under Dodd-Frank, most of the most important compliance regulations will fall under the

Bureau’s enforcement jurisdiction, including:
The following Federal Reserve Board rules:
12 CFR part 202–Equal Credit Opportunity Act (Regulation B)
12 CFR part 203–Home Mortgage Disclosure (Regulation C)
12 CFR part 205–Electronic Fund Transfers (Regulation E)
12 CFR 208.101-.105 & Appendix A to Subpart I–Registration of
Residential Mortgage Loan Originators (Regulation H, Subpart I)
12 CFR part 213–Consumer Leasing (Regulation M)
12 CFR part 216–Privacy of Consumer Financial Information (Regulation P)
12 CFR part 222–Fair Credit Reporting (Regulation V), except with respect to Sec. Sec. 222.1(c) (effective dates), 222.83 (Disposal of consumer information), 222.90 (Duties regarding the detection, prevention, and mitigation of identity theft), 222.91 (Duties of card issuers regarding changes of address), & Appendix J (Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation)
12 CFR part 226–Truth in Lending (Regulation Z)
12 CFR part 230–Truth in Savings (Regulation DD)
The following FDIC rules:
12 CFR part 332–Privacy of Consumer Financial Information
12 CFR part 334–Fair Credit Reporting, (with the same types of exceptions noticed above for 12 CFR part 222)
12 CFR 365.101-.105 & Appendix A to Subpart B–Registration of Residential Mortgage Loan Originators
The following OCC rules:
12 CFR 34.20-.25–Adjustable-Rate Mortgages (but only as applied to non-federally chartered housing creditors under the Alternative Mortgage Transaction Parity Act (“AMTPA”))
12 CFR 34.101-.105 & Appendix A to Subpart F–Registration of Residential Mortgage Loan Originators
12 CFR part 40–Privacy of Consumer Financial Information
12 CFR part 41–Fair Credit Reporting (with the same types of exclusions as listed in 12 CFR 222 above
12 CFR part 761–Registration of Mortgage Loan Originators

Plus, the Bureau has powers over RESPA, the SAFE Mortgage Licensing Act, and over civil money penalties for RESPA violations.
Heaven help us all.

SAFE Registration Deadline Has Passed

The deadline by which insured financial institutions were required to register their mortgage loan originators (except those that fall within the de minimis exception because the LO has made 5 or fewer residential mortgage loans in the last 12 months) was July 29, 2011.

Several things to check on: First, despite the use of the term residential mortgage loan originator, those subject to the registration requirement do not have to be engaged in making loans secured by real estate. Since “residential mortgage loan” means any loan secured by a dwelling and it refers to Truth in Lending for the definition of a dwelling, even loans secured by a mobile home, a boat, or the like, would be affected. Take a second look at the issue of which loan originators within your bank should be registered if you did not realize no dirt was required. If you find any that weren’t registered (e.g., maybe they only make mobile home loans) and you now realize they should have, realize that they can squeak by and make up to five covered loans now, but to be able to make the sixth or beyond, registration is mandatory.

Second, be sure you have a workable procedure in place to ensure any new hires (or individuals who have changed duties within your organization) get registered in the future when they come on board to make residential mortgage loans.

Third, double-check to make sure your bank is making the names and numbers of your mortgage loan originators available as required. Under the regulation, the bank is required to make the unique identifiers of its registered mortgage loan originators available to consumers in a manner and method practicable to the institution. In addition, the MLO must provide his/her unique identifier to a consumer in three specifically identified circumstances: 1) when a consumer requests it; 2) before the MLO acts as a mortgage loan originator as to that consumer; and 3) through the originator’s initial written communication with a consumer, if any, whether on paper or electronically.
Particularly as to the bank’s use of the unique identifier, there is flexibility due to the “manner and method practicable” language in the regulations.

Here are some of the places other banks say they are putting each loan officer’s NMLS#:
• On business cards
• In the lender information box on the Good Faith Estimate with the bank name and address
• In the email signature line for the loan officer
• On a sign at each desk
• On a lobby notice that lists the names of all the bank’s MLOs and the NMLS ID for each
• On a list on the bank’s intranet that is readily accessible to each employee
• On the bank’s website
• On application forms for dwelling-secured loans (required, as is the bank’s own number, if the loan is being sold to Fannie or Freddie)
• On letters (typed in, unless it’s personalized letterhead for a loan officer, in which case it could be part of the personalized part)
• On a specially designed flyer for a loan officer to provide to the consumer. The flyer not only provides the NMLS unique identifier and the loan officer’s name, but also gives some information about the SAFE Act and the registry
• Loan officer blogs and Facebook pages
• And there was also the banker who said (obviously joking!): “If an MLO really wanted to, they could tattoo the number to their forehead and they would meet all 3 required disclosure triggers at all times.” Another compliance officer pointed out that wouldn’t work in his bank, as the employee policy prohibits visible tattoos.

You have options. Just make sure you are in compliance with the minimum requirements. (I would be remiss if I did not note, however, that the minimum requirements will be changing. The Dodd-Frank Act requires the NMLS unique identifier to be included on all loan documents. That particular provision of Dodd-Frank requires implementing regulations, however, and they have not been promulgated yet, so we’ll see how they define “all loan documents” down the road when they get around to writing those rules.

Check Your Email Signature Line

Email is the preferred means of communication for many of us these days. It’s quick, it’s easy, and the recipient can respond when it’s convenient, making it less intrusive than a phone call.

If you use email as a business communication tool, check your email signature line. We have discovered through the many emails we receive through compliance@oba.com that a number of bankers do not disclose the name of the bank or the city and state in their signature lines. Sometimes that means we have to do a little detective work.

We take the domain name part of the email address and try to figure it out from there. But if the email address is something like “complianceofficer@bankinyourpjs.com” we then have to go to our web browser, type in bankinyourpjs.com to try to pin down the bank name. Sometimes we hit a dead end because the email address uses a domain name tied only to a mail server and not a bank website. Even when we do uncover a website, we may be several clicks away from determining the town.

For the convenience of your recipients, spell it all out.

Change Your AAN Address

If you are a state-chartered nonmember bank, don’t forget that the FDIC has changed the address for its national Consumer Response Center (CRC) and has directed affected institutions to update their adverse action notice forms and fair housing posters to reflect the new mailing address “as soon as practicable” to
FDIC

Consumer Response Center
1100 Walnut St, Box #11
Kansas City, MO 64106

Updated Authentication Guidance Issued

In light of the increasing threats from cyberthieves, the FFIEC has issued a long-awaited supplement to its guidance document Authentication in an Internet Banking Environment. It sketches out changes to the thread landscape and expresses concern about the effectiveness of customer authentication methods that have been in use since the 2005 guidance.

This is of critical importance and should be addressed immediately. While the supplement is only 12 pages long, it packs a punch. To be compliant with it:

1. Be sure you are performing periodic risk assessments to consider new and evolving threats to online accounts. Your risk assessment must look at the following – and this is not an exhaustive list of factors:
• changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
• changes in the customer base adopting electronic banking;
• changes in the customer functionality offered through electronic banking; and
• actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.

2. Do a determination of the level of risk posed by various transactions. The Agencies believe it is prudent to recognize and address the fact that not every online transaction poses the same level of risk. Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases. In other words, if Bubba has a checking account and he occasionally transfers $50 between his checking and savings accounts, that’s not going to need the same level of protection as a customer that is going online and setting up ACH debits amounting to hundreds of thousands of dollars.

3. Adjust your customer authentication measures, as necessary, in light of the findings of your risk assessments.

4. Utilize layered security – different controls used at different points in a transaction process – for high risk Internet-based systems. Examples of controls that could be included in a layered security program, would include, for example:
• fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
• the use of dual customer authorization through different access devices;
• the use of out-of-band verification for transactions;
• the use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account:
• enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
• internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
• policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
• enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
• enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.Examine what you are currently doing. Are you using layered security, or are you merely using one of the controls noted above?

5. The controls you employ must, at a minimum, allow you to detect and respond to suspicious activity, and must include enhanced controls on business accounts for system administrators that have privileges to set up or change system configurations.

The guidance includes somewhat of a post mortem on some of the attack methods cyberthieves have used and an analysis of the effectiveness of various controls. It’s an eye-opening read that should be tackled immediately. Your bottom line may depend upon it.

Risk Management on Prepaid Cards

OCC 2011-27 addresses risk management and sound practices with respect to prepaid access programs. While the guidance is only directly applicable to nationally-chartered banks, we believe institutions of all charters with prepaid access programs would benefit from following its recommendations for this rapidly growing banking product.
First, understand what is meant by Prepaid Access Programs. It includes everything from gift cards to general purpose reloadable cards, payroll cards, government benefit cards, retail gift cards, mobile phones, and Internet sites.

Reloadable. Anonymous. These are the attributes that make the programs attractive to customers and scary to compliance officers and BSA personnel.

If you are offering prepaid access:
1. You need a risk management program to help you identify, measure and monitor and control the risks from the products;
2. You must perform due diligence in selecting third-party providers;
3. You need an oversight process to help you monitor performance of the program, keep a watchful eye over fraud losses, and to spot suspicious activity;
4. You need to make sure you’re in compliance with all the disclosure requirements;
5. You need to determine a schedule and form for reporting to the board so the board can evaluate the program;
6. You need to understand the different levels of risk posed by the different types of prepaid access.
7. You need written policies and procedures;
8. You need to clearly delineate roles and responsibilities of the personnel involved;
9. You need to make sure your policies and procedures are easily accessed by relevant employees and well understood by them;
10. Your policies and procedures need to have an “exit strategy” – a way for your institution to get out of the business if a particular product doesn’t perform as you plan;
11. The consumer is able to add and store funds on the device, and use it to spend or withdraw the funds from a variety of sources;
12. You need to have a well-written in contract in place with the third-party service provider so that each party knows who is supposed to do what;
13. Your board needs to establish risk limits for the program – after the board understands how the program is expected to operate, the level and nature of risks it will bring to the bank, and its projected costs and revenues;
14. Before you even launch a prepaid program, you should make sure your audit and compliance functions can handle the new program. If you expand your audit and compliance functions to accommodate the program, they recommend you:

•ensure the audit and compliance functions provide for sufficient consumer protection transaction testing. Testing should ensure all fees are clearly disclosed, and a sample of accounts should be tested to verify that fees are assessed as disclosed. Such programs should also provide for testing of BSA/AML and OFAC compliance. This testing should include samples from both in-house and outsourced components, and should broadly cover the number of alerts generated and suspicious activity report filings. Banks may use existing fraud, Gramm-Leach-Bliley Act (GLBA), and OFAC monitoring programs [6] to ensure appropriate coverage.
•include procedures to evaluate any proposed changes or additions to the product prior to implementation, to ensure that all risks are considered.

15. Periodic reports to the board from management should be given to allow the board to monitor the risks, determine whether stated objectives and financial goals are being met. They suggest the reports may include:

• performance benchmarks, such as Service Level Agreements and Key Performance Indicators, and the program’s performance against those measures. These benchmarks should include trends as well as point-in-time performance.
• comparison of the program’s activity against board-established risk tolerances.
• variance reports.
• summaries of suspicious activity monitoring and reporting.
• fraud loss reports, including volume and type of fraud (such as account takeover and identity theft).
• results of audits and regulatory compliance reviews.
• a summary of service disruptions or security breaches that occurred since the last report.

Debit Card Interchange Fees

It’s here — new Regulation II of the Federal Reserve Board, establishing standards for debit card interchange fees and prohibiting network exclusivity arrangements and routing restrictions. Most of the new regulation, which is required by the Dodd-Frank Act, will be effective October 1, 2011. We are still studying the rule, and we’ll have full details for you in next month’s Legal Briefs.

One question that did arise with respect to the new rules was about how even banks under $10 billion could be affected on the gift card front. As it turns out, the exemptions for small banks only apply to true debit cards connected to a deposit account, not to gift cards.

RESPA Reg Clarified

HUD made what it calls “technical and clarifying amendments” to its Regulation X, which implements RESPA. The changes were published in the Federal Register on July 11, 2011.

Most of what they did is cleanup in nature. For example, HUD has consistently taken the position in its FAQ and in the RESPA Roundup that a lender may not impose a fee (other than for a credit report) until after l) the GFE has been received; AND 2) the applicant has expressed an intent to proceed, but the second requirement was not in the law or regulation. HUD says the language was inadvertently omitted from the regulatory text and they eliminate ambiguity about the need for an expression of intent by the applicant by amending the regulation to require it.

They also correct and clarify the rule to eliminate instances where they use the terms “new GFE” and “revised GFE” in confusing ways. They stress that a revised GFE is not a new GFE.

The revised rule makes clear that if a revised GFE is given, the terms in it do not remain binding indefinitely; they expire 10 days after the GFE is given if the borrower does not express an intent to continue with the application.
Also made clear is the fact that if the borrower requests changes, a revised GFE given to the borrower may increase charges listed on the GFE only to the extent that changed circumstances or the borrower’s requested change actually increase those charges.

HUD received lots of inquires about estimates on the HUD-1. For example, lenders wanted to know what to do on the HUD-1 if there was an estimate for a service on the GFE that ended up not being purchased. Appendix A is now revised to clarify that the amounts to be inserted on page 3 of the HUD-1 in the comparison chart are for services that were actually purchased or provided as part of the transaction. No amount should be included on page 2 of the HUD-1 for any service listed on the GFE that was not actually obtained in connection with the transaction.

HUD clarified the Appendix so it’s now clear that since the HUD-1 is to show actual charges and adjustments, if the borrower doesn’t purchase a settlement service that was listed on the GFE, there should be no amount entered for that service on page 2 of the HUD-1 and the estimate of the charge from the GFE should not be included in the comparison chart. The reason this is important is because including unpurchased services (like owner’s title insurance) in the comparison chart gives padding in the 10% tolerance categories. 

And if you have been bedeviled by the HUD-1 instructions for Lines 601-602, where it says “Enter the total in Line 420 and Line 610,” rest easy. It’s a typo. It’s now corrected to be line 601.

Reg B/FCRA Notice Change

Do you obtain credit scores in connection with applications for credit or a deposit account? If the answer is “No,” a recent change to Regulation B will not affect you. You can stop reading this part of Legal Briefs. If the answer is “Yes,” it might.

The Dodd-Frank Act’s Section 1100F amends the Fair Credit Reporting Act to require creditors to disclose on FCRA adverse action notices a credit score used in taking any adverse action and information relating to that score. It also amends a different part of the FCRA in a way that impacts the risk-based pricing notices requirements, but we’ll discuss that in a minute. Back to Regulation B.

Regulation B gets into the fray because you have an adverse action notice requirement under Regulation B and model forms for giving the notice. On Reg B, you give an adverse action notice if you have an application for credit (business or personal) and you are turning down the app or not granting credit on the terms requested.

Under the Fair Credit Reporting Act, if you pull a credit report on a consumer and you are denying credit in whole or in part based upon information contained in a credit report, you have to provide an FCRA adverse action notice. Similar, but different from the Reg B, both in terms of the trigger and the content.

In Reg B, there are model forms for just the Reg B adverse action notice. There are also model forms which combine the Reg B adverse action notice with the FCRA adverse action notice. With the new provision in Dodd-Frank, those combined model notices had to be tweaked, so the Federal Reserve Board amended Reg B’s model forms, effective August 15, 2011.

Section 1100F of the Dodd-Frank Act amends section 615(a) of the FCRA to require that creditors disclose additional information on FCRA adverse action notices. The statute generally requires that a FCRA adverse action notice include:
(1) a numerical credit score used in making the credit decision;
(2) the range of possible scores under the model used;
(3) up to four key factors that adversely affected the consumer’s credit score (or up to five factors if the number of inquiries made with respect to that consumer report is a key factor);
(4) the date on which the credit score was created; and
(5) the name of the person or entity that provided the credit score.

Model Forms C-1 through C-5 have been amended to incorporate the additional content requirements prescribed by section 1100F of the Dodd-Frank Act. If you use a proprietary credit scoring system, Model Form C-3 is to be used. Determining whether what you’re using is a proprietary score or not is the first step you need to take. If you are simply procuring a credit score from a consumer reporting agency, then you don’t have a proprietary score. If you obtain a score from a consumer reporting agency, then develop your own based on various factors, you need to look at the definitions before deciding which form to use and how to proceed.
Optional language in Forms C-1 through C-5 may be used to direct the consumer to the entity that provided the credit score for any questions about the credit score, along with the entity’s contact information. Creditors may use or not use this additional language without losing the safe harbor, since the language is optional.

In some cases, a creditor that is required to provide an adverse action notice under the FCRA may use a consumer report, but not a credit score, in taking the adverse action.
• Under section 1100F of the Dodd-Frank Act, a person is not required to disclose a credit score and related information if a credit score is not used in taking the adverse action.
• A creditor that obtains a credit score and takes adverse action is required to disclose that score, unless the credit score played no role in the adverse action determination.
• If the credit score was a factor in the adverse action decision, even if it was not a significant factor, the creditor will have used the credit score for purposes of section 1100F of the Dodd-Frank Act.
• In some cases, a creditor may try to obtain a credit score for an applicant, but the applicant may have insufficient credit history for the CRA to generate a credit score. Section 1100F only applies when a creditor uses a credit score in taking adverse action. The creditor cannot disclose credit score information if an applicant has no credit score.
In the new form, you are required to disclose the top four (or five) key factors that adversely affected the credit score, whether or not the effect was substantial. Disclose all the key factors, up to four, subject to section 609(f)(9) of the FCRA, which states that if the key factors that adversely affected the credit score include the number of inquiries made with respect to the consumer report, the ―number of inquiries‖ must be disclosed as a key factor.
Where will you get the key factors? Unless you are using a proprietary score, you can get the information directly from the consumer reporting agency from whom you obtained the score.

Does this seem redundant? After all, you are already disclosing (or giving the applicant a right to ask for) the reason for the adverse action, and now you are being asked to tell them what negative impacted the credit score. Yes, there is some redundancy, but some specific reasons for taking adverse action may be unrelated to a consumer’s credit score, such as reasons related to the consumer’s income, employment, or residency.

For some reason, they want the four factors – but if the number of inquiries was a factor, they bump up the number for you to disclose to five. The rule says if the number of inquiries is a key factor that adversely affected the consumer’s credit score, that factor must be disclosed pursuant to section 609(f)(1)(C) of the FCRA, without regard to the numerical limitation. The FCRA accordingly requires disclosure of the “number of inquiries” as a key factor, regardless of whether it is one of the top four key factors.

Some of you have complied with the risk-based pricing notice rules by using the exception that allows you to give the credit score disclosure under Regulation V, rather than a risk-based pricing notice. You may be holding your breath, hoping that giving that notice will suffice and you won’t need to make the changes discussed above. Sorry. These are two separate and distinct (although related) requirements. A creditor does not comply with the FCRA adverse action provisions in section 1100F by providing a credit score disclosure exception notice or section 609(g) notice. In addition, the 609(g) notice may not be integrated into a FCRA adverse action notice.

Be sure you understand how to handle these new model forms when you are dealing with co-applicants or when you are dealing with guarantors and co-signers.

Regulation B at 202.9(f) permits a creditor to provide an adverse action notice to only one applicant, and requires a creditor to provide an adverse action notice to the primary applicant, when a primary applicant is readily apparent.

On the other hand, Section 615(a) of the FCRA requires a creditor to provide the disclosures mandated by that section to any consumer against whom adverse action is taken, if the adverse action is based in whole or in part on information from a consumer report. “Any consumer” includes co-applicants.

Because of the sensitive nature of a credit score, the Federal Reserve states that creditors should provide separate FCRA adverse action notices to each applicant with only the individual’s credit score on each notice.

With respect to guarantors and co-signers, keep in mind that under Reg B 202.2(c) only an applicant can experience adverse action. A guarantor or co-signer is not deemed an applicant under § 202.2(e). That means a guarantor or co-signer would not receive an adverse action notice under the ECOA or the FCRA. The applicant would receive an adverse action notice, even if the adverse action decision is made solely based on information in the guarantor’s or co-signer’s consumer report, but a guarantor or co-signer’s credit score should not be disclosed to an applicant in an adverse action notice.

If you obtain multiple credit scores, you are only required to disclose a single credit score used in taking adverse action. You decide which one – but you do so through policies and procedures to determine which of the multiple credit scores was used in taking adverse action.

For example, you could have policies and procedures specifying that when you obtain multiple credit scores but only use one of them in taking adverse action, such as b by using the low, middle, high, or most recent score, you would disclose that credit score and information relating to that credit score. Your policy may say that if you use multiple credit scores in taking adverse action, for example, by computing the average of all the credit scores obtained, the creditor would disclose any one of those credit scores and information relating to the credit score.
Remember – it’s not limited to credit. A credit score must be included in the FCRA notice provided in the case of adverse action decisions related to a deposit account, insurance product, or employment.

You should be using the revised forms NOW. Even though the amendments to Regulation B take effect August 15, 2011, the underlying statutory provisions imposing the new requirements took effect July 21, 2011. I know, I know. Unbelievable!

Changes to the Risk-Based Pricing Notice

The same section of Dodd-Frank that made the changes to the FCRA adverse action notice also required changes to the risk-based pricing notice rules. Regulation V was amended, effective August 15, 2011. (Again, the statutory changes already took effect July 21, 2011.)

Here is the good news about these particular changes. These changes do not impact creditors that have chosen to use the credit score exception notices.

Also, if you do not use credit scores, these changes to the risk-based pricing rules do not affect you.

If you are instead providing the risk-based pricing notice, however, either for account review or for applications, you must amend them to include the new required information, as follows:

If a credit score of the consumer to whom a person grants, extends, or otherwise provides credit is used in setting the material terms of credit:
(A) A statement that a credit score is a number that takes into account information in a consumer report, that the consumer‘s credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer‘s credit history;
(B) The credit score used by the person in making the credit decision;
(C) The range of possible credit scores under the model used to generate the credit score;
(D) All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five;
(E) The date on which the credit score was created; and
(F) The name of the consumer reporting agency or other person that provided the credit score.

The verbiage is slightly different for account review.

In a transaction involving two or more consumers who are granted, extended, or otherwise provided credit, a person must provide a notice to each consumer to satisfy the requirements of § 222.72(a) or (c).
• Whether the consumers have the same address or not, the person must provide a separate notice to each consumer if a notice includes a credit score(s).
• Each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer.
• If the consumers have the same address, and the notice does not include a credit score(s), a person may satisfy the requirements by providing a single notice addressed to both consumers.
If you use credit scores and are giving the RBPN, rather than utilizing an exception, you’re going to use model form H-6 (new app) or H-7 (account review).
A creditor that obtains a credit score and engages in risk-based pricing would need to disclose that score, unless the credit score played no role in setting the material terms of credit. Moreover, even if the credit score was not a significant factor in setting the material terms of credit but was a factor in setting those terms, the creditor will have used the credit score for purposes of section 1100F of the Dodd-Frank Act.
A person is not required to provide a risk-based pricing notice to a guarantor, co-signer, surety, or endorser.
• A person may be required, however, to provide a risk-based pricing notice to the consumer to whom it grants, extends, or otherwise provides credit, even if the person only uses the consumer report or credit score of the guarantor, co-signer, surety, or endorser.
• When a person uses a credit score only of a guarantor, co-signer, surety, or endorser to set the terms of credit for the consumer to whom it extends credit or whose extension of credit is under review, a person shall not include a credit score in the general risk-based pricing notice or account review notice provided to the consumer.