FCRA / Regulation V – Fair Credit Reporting Act

The Fair Credit Reporting Act (FCRA), codified at 15 U.S.C. § 1681 et seq., is the U.S. federal statute that governs how consumer-report information is collected, shared, and used. Its implementing regulation is Regulation V (12 CFR Part 1022). Every fintech that pulls a credit report, runs an identity check sourced from a bureau, or supplies repayment data back to a CRA is squarely within scope.

This page covers permissible purpose, the user vs furnisher split, dispute investigation duties, adverse-action notice requirements, the application of FCRA to AI-driven underwriting, and the evidence infrastructure examiners increasingly expect from fintechs and sponsor banks.

Users, furnishers, and CRAs

FCRA splits regulated parties into three roles. Consumer reporting agencies (CRAs) assemble and sell consumer reports – the three nationwide bureaus, plus specialty CRAs like ChexSystems, LexisNexis Risk, and many KYC vendors that meet the statutory definition. Users request reports for a permissible purpose. Furnishers supply data to CRAs. A single fintech is often two of the three at once: a user when it pulls a report and a furnisher when it reports payment history back.

Permissible purpose

Section 604 enumerates the lawful reasons for which a consumer report can be requested. The list is finite. The purposes that matter most for fintechs:

• The consumer's written instructions
• A credit transaction involving the consumer
• Account review for an existing relationship
• A legitimate business need in connection with a transaction the consumer initiated
• Employment screening (with separate notice and consent rules)

Pulling a consumer report for fraud prevention without an account-review or transaction nexus is a recurring FCRA failure mode. So is using a report obtained for one purpose to make a decision in another (for example, using a credit pull collected during onboarding to deny a future loan two years later without a fresh permissible purpose).

Disputes and the duty to investigate

When a consumer disputes information on their report, FCRA imposes investigation duties on both the CRA (Section 611) and the furnisher (Section 623). The investigation must complete within 30 days (45 if the consumer adds material mid-cycle), include a reasonable review of the dispute and supporting documentation, and result in correction or deletion of inaccurate records.

The most-litigated FCRA failure mode is not investigating at all – treating a dispute as a notice to ignore rather than a duty to act. The second most common is investigating but failing to maintain records that prove a reasonable investigation occurred.

Adverse-action notices

If you deny credit, deny an account, charge a higher rate, reduce credit limits, or take another adverse action based in whole or in part on a consumer report, Section 615 requires a notice. The notice must identify the CRA whose report was used, state that the CRA did not make the decision, and tell the consumer they have a right to a free copy of the report and to dispute its accuracy.

Equal Credit Opportunity Act (ECOA) layers an additional adverse-action obligation on credit decisions, including specific reason codes for the denial. The two notices are usually combined into a single document, but the underlying obligations are independent and a missing element under either statute is its own violation.

FCRA, AI underwriting, and alternative data

The CFPB has been explicit: the use of a machine-learning model, an alternative-data source, or a third-party-built risk score does not change the FCRA analysis. If the inputs include consumer-report information, every user obligation applies. If the output is shared back with third parties for a covered use, the third party becomes a user. The 2023 CFPB circular on adverse-action notices for AI models reinforced that explainability and reason-code obligations apply in full – "the model is too complex to explain" is not a defense.

Evidence and orchestration

FCRA exams turn on records:

• Permissible-purpose log per consumer-report pull (consumer, purpose, account or application, timestamp)
• Dispute log with the dispute itself, the investigation steps, and the resolution
• Adverse-action notices linked to the underlying decision and the report that informed it
• Furnisher accuracy procedures and the investigation records that demonstrate they were followed
• Vendor oversight records for every CRA and CRA-adjacent provider in the workflow

FinQub records every consumer-report pull with its permissible-purpose tag, the consumer reference, the requesting workflow, and the vendor identity. Adverse decisions are linked to the underlying report. Disputes flow as first-class events with the investigation and resolution recorded on the hash-chained audit trail. Examiner queries by consumer or date range return the complete file without manual assembly across vendor dashboards.

Practical next steps

1. Map every workflow that pulls a consumer report or supplies data to a CRA – including KYC and fraud workflows that may not have been classified as FCRA touchpoints.
2. Lock permissible-purpose tagging at the orchestration layer so it cannot drift between vendors.
3. Wire the dispute pipeline into the audit trail with documented investigation steps, not just inbound logs.
4. Verify adverse-action notice generation covers every applicable workflow path – including model-driven and partial-information denials.