Skip to content

Fair Credit Reporting Act (FCRA): An overview

William Newmark
Author
William Newmark
Read time
17 mins
Published
Jul 28, 2025
Resources / Blog / Fair Credit Reporting Act (FCRA): An overview
Summary

The Fair Credit Reporting Act (FCRA) is a federal regulation in the United States that was enacted in 1970. The Act was intended to ensure that consumers’ credit information is collected and used fairly and accurately, and in ways that adhere to privacy standards. Most recently the FCRA was updated and republished in May 2023.

The FCRA was passed in response to growing concerns about the potential misuse of consumer credit data. Its main goal is to ensure that consumer reporting agencies conduct business responsibly, and to protect consumers from data inaccuracies, unfair profiling, and identity theft.

Multiple federal agencies administer the FCRA, and the regulation controls consumer reporting agencies (CRAs), furnishers that provide credit information to CRAs, and users, i.e. entities that use credit information to make business decisions.

The FCRA created obligations and limitations for collection, use, and accuracy of consumers’ credit information, as well as its security and consumers’ privacy. Consumers have rights provided by the FCRA regarding their credit information, how it’s used, and who can access it.

Many US state-level data privacy laws have exemptions where relevant federal regulations take precedence. The FCRA is one such regulation, as is the Graham-Leach-Bliley Act (GLBA), which also regulates the financial sector.

The protections and obligations of these federal regulations are comprehensive enough that additional coverage under the state-level laws is not considered necessary, and authorities can reference and defer to the FCRA and other relevant federal regulations.

What is the Fair Credit Reporting Act (FCRA)?

The Fair Credit Reporting Act (FCRA) is a US federal law that addresses access to, use of, and decision-making using American citizens’ credit information. It provides consumers with specific rights regarding their personal credit data, and creates responsibilities for organizations accessing or using it.

Credit information is consumers’ personal financial data. It’s collected and maintained largely by credit bureaus or credit reporting agencies. It reflects individuals’ activities with borrowing and repayment, e.g. loans, mortgages, credit cards, etc.

Credit information includes personal identifying details like name, address, and Social Security number, as well as information about credit accounts, payment history, account balances, credit limits, records of bankruptcies or liens, and other relevant information. This information together contributes to generation of a consumer’s credit score.

Companies like banks, insurers, employers, and landlords use this information to assess prospective clients, employees, and tenants for creditworthiness, to determine interest rates, approve or deny lending, and other functions.

Who has to comply with the FCRA?

Many kinds of entities in the US that access and use credit information are required to comply with the FCRA. They include:

  • Consumer reporting agencies (CRAs) like Equifax, Experian, or TransUnion
  • Specialty agencies, e.g. for employment screening, tenant history, medical records, etc.
  • Entities that provide information to CRAs, also called furnishers, e.g. lenders like banks, credit card issuers, auto finance companies; debt collectors; telecommunications companies and utilities; and landlords
  • Businesses that use consumer reports for evaluations and decision-making, also called users, e.g. lenders, employers, landlords, insurance companies, and government agencies

These entities make decisions that have considerable impact on people’s lives, work, and financial status, and by the definition of most data privacy laws, the information they work with is considered “sensitive.” As a result the FCRA is important to help ensure that necessary restrictions, handling requirements, accuracy mechanisms, and privacy and security measures are in place.

Fair Credit Reporting Act updates

As the FCRA has been in effect for over 50 years, amendments have been necessary over time as technologies have changed and to improve consumer protections and oversight of the credit reporting system.

One of the most significant updates was 2003’s Fair and Accurate Credit Transactions Act (FACTA), which introduced new rights related to identity theft, credit score disclosures, and fraud alerts.

Even more recent developments have focused on increasing transparency and accountability for credit bureaus. The Consumer Financial Protection Bureau (CFPB) has increased scrutiny and enforcement actions, and there have been calls for CRAs to improve dispute resolution processes and data accuracy.

In 2023, the CFPB emphasized the need for stricter controls on the use of medical debt in credit reporting. The United States has a market-based or private healthcare system, and individuals that do not have comprehensive private health insurance can incur often financially crippling medical debt for treatments, tests, medications, and other healthcare needs.

This can have enormous negative effects across people’s lives and those of their families if medical debt significantly affects their credit history and rating.

The CFPB began exploring rulemaking that could impact how consumer data is handled in the digital era, including the role of data brokers, which are often legislated separately from consumer-centric data privacy laws.

Discussions of additional reforms continue, particularly concerning how consumer reporting impacts marginalized groups and the potential for alternative data models. Other data privacy laws in the US and internationally, as well as evolving consumer expectations of privacy, are likely to continue influencing future changes to the regulation.

FCRA definitions

To help with understanding the Act and supporting ongoing FCRA compliance, we’ll look at definitions of various terms and functions relevant to the regulation and the organizations that need to comply with it.

Credit reporting agency

A credit reporting agency is a type of consumer reporting agency, also called a credit bureau, that focuses specifically on credit-related data, such as payment history, debt levels, and credit utilization. Credit reporting is a subset of consumer reporting. Equifax, Experian, and TransUnion are examples of credit reporting agencies.

In the digital era when data breaches are increasingly common, organizations like these are often contracted to provide ongoing credit monitoring and information for a specified period of time to consumers who have been victims of data breaches.

Consumer reporting agency (CRA)

Consumer reporting agency is a broader term that includes entities like credit reporting agencies. It’s a legal term that is defined by the FCRA, referring to any organization that:

  • Collects or evaluates consumer information
  • Compiles consumer information into consumer reports
  • Provides consumer reports to third parties, such as lenders, employers, or insurers, for use in making eligibility decisions, e.g. credit, employment, insurance, or housing

The consumer information collected and evaluated includes not just credit data, but also information related to employment history, rental history, personal characteristics, and reputation.

Specialty consumer reporting agency

A specialty consumer reporting agency is a type of CRA that compiles and maintains files on consumers, often on a nationwide basis, relating to specific industries or activities, e.g. medical records or payments, residential or tenant history, check writing history, employment history, or insurance claims.

Consumer credit information

Consumer credit information refers to any data collected or communicated by a CRA that relates to a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

This information is compiled and used in consumer reports to assess a person’s eligibility for credit, insurance, employment, housing, or other purposes as defined by the FCRA.

In addition to identity details, credit information includes credit accounts, payment history, credit limits, outstanding debts, and public record data like bankruptcies or liens.

When shared by a CRA with a third party for a permissible purpose, this data becomes regulated under the FCRA and is subject to requirements for accuracy, privacy, and consumers’ rights.

Consumer report

A consumer report is a summary of information about a person that informs businesses to help make decisions about potential clients, employees, or tenants.

It can include details about someone’s credit history, reputation, or lifestyle, and it’s usually shared with third parties — when certain legal conditions are met — by a consumer reporting agency. Companies use this report to help decide if a person qualifies for a loan, a job, or certain types of insurance for personal or household use.

Investigative consumer report

An investigative consumer report is a special type of consumer report that focuses more on a person’s character, reputation, lifestyle, or personal traits, rather than just their credit history.

This information is gathered differently as well. It comes from personal interviews with people who know the consumer, like neighbors, friends, or coworkers. It doesn’t include detailed credit data taken directly from banks or lenders. Instead, it provides a broader look at someone’s background, often used for things like employment or insurance decisions.

Financial institution

A financial institution refers to a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person or business that, directly or indirectly, holds a transaction account. These can include institutions where individuals keep savings accounts, mortgages, credit card accounts, and other financial accounts.

Furnisher

A furnisher is any entity that provides information about consumers to CRAs to be included in consumer reports. This includes a wide range of organizations, like banks, credit card issuers, mortgage lenders, auto finance companies, debt collectors, and telecommunications providers.

Furnishers have legal obligations to ensure the accuracy and completeness of the information that they report, including correcting inaccuracies or gaps. They are also required to participate in investigations in the event of a consumer’s dispute of their credit report.

Permissible purpose

A permissible purpose is a specific and legally authorized reason for which a CRA may furnish a consumer report to a third party. These purposes include:

  • With the written instructions of the consumer
  • For the extension of credit, or review or collection of an account, involving the consumer
  • For employment purposes, provided the consumer has given written consent
  • For underwriting insurance involving the consumer
  • To determine the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality
  • For a legitimate business need in connection with a business transaction initiated by the consumer
  • To review an account to determine whether the consumer continues to meet the terms of the account
  • In response to a court order or federal grand jury subpoena
  • In response to a request by a state or local child support enforcement agency

Somewhat similar to the legal bases for data processing under the GDPR, users of consumer reports must certify their permissible purpose. They cannot obtain or use consumer reports without a certified permissible purpose, and consumer reports cannot be provided to third parties without one.

Adverse action

An adverse action refers to any decision that negatively affects a consumer, made in whole or in part based on information from a consumer report. This includes a range of business sectors and outcomes, including:

  • Credit: Denial or revocation of credit, refusal to grant credit on the terms requested, or unfavorable changes to existing credit terms
  • Insurance: Denial or cancellation of insurance coverage, increase in charges, or reduction in coverage amounts
  • Employment: Denial of employment, failure to promote, reassignment, or termination
  • Licensing and benefits: Denial or unfavorable change in terms of a license or benefit granted by a governmental agency

The FCRA requires that the consumer be notified when an adverse action is taken based on a consumer report. This is meant to ensure transparency and provide an opportunity for the consumer to have any inaccuracies in their report corrected or to dispute the decision.

Summary of your rights under the Fair Credit Reporting Act

The rights that consumers have under the Fair Credit Reporting Act center around transparency, accuracy, and privacy in the handling of their credit information, as well as recourse if there are issues.

  • Right to know: If a credit report’s information is used for an adverse action, like denial of credit, insurance, or employment, the consumer must be informed, including which CRA provided the report.
  • Right to access: Consumers can obtain a free copy of their credit report once every 12 months from each nationwide CRA. They are also entitled to a free copy of their report if use of its information has resulted in an adverse action.
  • Right to dispute/correction: Consumers can dispute inaccurate or incomplete information in their credit file and get it corrected or deleted.
  • Right to limit access to credit information: In most cases, only entities with a permissible purpose, e.g. lenders, insurers, employers, etc. — with a consumer’s written consent — can access a consumer’s report.
  • Right to privacy of medical information: Inclusion of medical information in consumers reports is restricted under certain conditions and unless the consumer has provided explicit consent.
  • Right to security freeze and fraud alerts: Consumers can have a security freeze placed on their credit reports to prevent any new credit accounts being opened with their identity. They can also add a fraud alert to their reports to warn potential creditors of possible identity theft.
  • Right to seek damages: Consumers can sue a business or CRA in federal or state court for FCRA violations. This can be for actual damages, statutory damages (in cases of willful noncompliance), and attorneys’ fees.
  • Right to opt out: Consumers can opt out of receiving unsolicited “prescreened” credit and insurance offers based on information in their credit report.

FCRA obligations for CRAs, furnishers, and users of credit reports

Companies involved in creating, disseminating, or using credit reports have a number of legal obligations under the FCRA to help ensure credit information is accurate and used fairly, and to maintain consumers’ privacy.

CRA obligations for credit information and reports

While the FCRA’s requirements have the same goals of accuracy, privacy, and fair use, there are varying requirements for different entities that access credit reports. These are the requirements for consumer reporting agencies.

  • Ensuring accuracy: CRAs must adopt reasonable procedures to ensure that the credit information they collect and disclose is as accurate as possible at all times.
  • Dispute investigations: When a consumer lodges a dispute regarding the accuracy or completeness of their credit report, a CRA has 30 days to investigate the issue (45 days in certain cases involving additional information) and correct or delete any information that is incorrect, incomplete, or unverifiable. They must then inform the consumer of the results.
  • Limit disclosures: CRAs must verify the legitimacy of requests for consumer reports, which may only be provided to third parties where there is a clearly defined permissible purpose, such as for credit, insurance, or employment.
  • Consumer access and disclosures: Consumers must be provided with a copy of their report upon request. They have the right to receive their report for free once every 12 months from each CRA. Consumers must also be provided with a summary of their rights under the FCRA upon request.
  • Notification of adverse actions: If a CRA provides a credit report that results in an adverse action, e.g. denial of credit, insurance, or employment, it must provide details to the third party taking that action so they can notify the consumer.
  • Time limits on report contents: Most negative information must be removed from a credit report after seven years, or ten years in the case of bankruptcies. CRAs may not report outdated negative information.

Furnisher obligations for credit information and reports

Credit reporting agencies aren’t the only important entities where credit information and the decisions it fuels are concerned. These are the FCRA requirements for furnishers, which are entities that provide information to CRAs.

  • Ensuring accuracy: Furnishers must ensure that the information that they collect and report is as accurate and up to date as possible at all times and not misleading.
  • Establish and maintain policies and procedures: Furnishers must implement policies to ensure data accuracy and correct handling of disputes.
  • Correction and updates: If a furnisher learns that previously reported information is inaccurate and/or incomplete, it must update, correct, or delete the information promptly.
  • Dispute investigations: When notified of a consumer dispute by a CRA, the furnisher must investigate it, review all relevant information, and report results back to the CRA.

User obligations for credit reports

In addition to the companies that collect and provide information and create and disseminate credit reports, there are users, i.e. companies that use credit reports to make business decisions. These are the FCRA requirements for users of consumer reports.

  • Use only for permissible purposes: Users must certify that they are obtaining a report only for a legally permitted reason, e.g. evaluating a job candidate or tenant, extending credit, etc.
  • Obtain written consent: Users must obtain written consent from a consumer if the user wants to use that consumer’s credit report for employment purposes.
  • Notification of adverse actions: If a user makes a decision that negatively affects a consumer, i.e. an adverse action like denial of credit, insurance, or employment, based on the consumer’s credit report, the user must provide the consumer with a notice that includes:
    • The CRA’s name and contact information
    • A statement confirming that the CRA did not make the decision resulting in the adverse action
    • Notice of the consumer’s right to a free copy of their report and their ability to dispute the report’s accuracy

Exceptions and exemptions to the FCRA

The FCRA excludes certain types of information, activities, and entities from its coverage, primarily to avoid overregulation in areas covered by other laws. The FCRA’s requirements largely focus on the sharing of information and its use in decision-making.

These types of information and uses are exempt from FCRA coverage or compliance:

  • Consumers’ personal or inapplicable use: If a consumer obtains their own credit report or information compiled by a CRA is otherwise not shared with any third party, most FCRA requirements do not apply.
  • Certain employment information or uses: Some communications or uses of data used for employment purposes may not qualify for inclusion in a consumer credit report. For example, personal references or internal employee evaluations can influence employment, but would not be included.
  • Information in informal formats: CRAs can also collect informal communications or those supplied orally, which typically are also not covered by the FCRA.
  • Non-consumer uses: The FCRA does not generally apply to information that is shared for non-consumer purposes, e.g. a business engaging in commercial transactions or for obtaining business credit.
  • Information about direct dealings: Creditors and other entities may share transaction-related or experience information about their direct dealings with a consumer, e.g. payment history or account balance, without it being classified as a consumer report.
  • Disclosures to government agencies: Some government agencies’ uses for information are exempt from requirements as required by law, or for national security or law enforcement purposes, e.g. federal grand jury subpoena.
  • Information not for FCRA purposes: Financial and credit information that is not used in a way that meets the definition of a consumer report is not generally subject to the FCRA. For example, if the information is not used to determine eligibility for credit, insurance, employment, or housing.

Who administers and enforces the FCRA?

There are multiple US federal agencies that have responsibilities for interpreting, administering, and enforcing the FCRA. Which ones take precedence depends on the type of entity involved. States’ attorneys general can also be involved in investigative and enforcement measures.

Federal Trade Commission (FTC)

The FTC is one of the main federal agencies that enforces FCRA compliance, and its jurisdiction covers entities that may not be subject to other financial regulators.

It investigates disputes and brings enforcement actions against CRAs, furnishers, and users of consumer credit reports, especially in instances of consumers’ rights violations or deceptive or unfair practices like discrimination.

The FTC has civil enforcement powers and can impose penalties, seek injunctions, and require CRAs, furnishers, or users to take corrective measures.

Consumer Financial Protection Bureau (CFPB)

The CFPB shares enforcement and interpretive authority with the FTC. It also plays a leading role in regulating other consumer financial protection laws, including writing and updating rules and amending regulations.

The CFPB oversees CRAs and financial institutions for FCRA compliance, especially entities that are not banks, such as payday lenders, mortgage servicers, and credit bureaus.

The Bureau also publishes information for consumers, like summaries of consumers’ rights under the FCRA.

Federal agencies

There are a number of agencies charged with enforcing the FCRA with banks and credit unions, particularly regarding providing credit data and ensuring its accuracy.

  • Office of the Comptroller of the Currency (OCC): National banks
  • National Credit Union Administration (NCUA): Federal credit unions
  • Federal Reserve Board (FRB): State-chartered member banks
  • Federal Deposit Insurance Corporation (FDIC): State non-member banks
  • Department of Transportation (DOT) and Surface Transportation Board (STB): Transportation businesses
  • Department of Agriculture (USDA): Certain farm credit institutions

Penalties for fair credit reporting act (FCRA) violations

Under the FCRA, there can be criminal and/or civil penalties for violations. Like many privacy laws, the penalties levied often depend on the nature and severity of the violation, willfulness, and if the violation is a first-time offense or repeat.

Criminal penalties

The FCRA states that any person who obtains consumer information under false pretenses, or knowingly and willfully obtains information on a consumer from a CRA without a permissible purpose can be fined or imprisoned for up to two years, or both.

The amount of fines is subject to title 18 of the United States Code, but is otherwise not specified in the FCRA text.

Civil penalties

Willful noncompliance with any FCRA requirement toward any consumer can result in liability equal to any actual damages sustained by the consumer as a result of the violation, or damages between USD 100–1,000.

Or in cases where a person is found liable for obtaining a consumer report under false pretenses or knowingly without a permissible purpose, the penalty is for actual damages sustained by the consumer as a result of the violation or USD 1,000, whichever is greater.

Additionally, the court can allow punitive damages, attorneys’ fees, and other reasonable costs.

There are a number of uses of consumers’ credit information under the FCRA for which explicit consent is required. A consent management solution can assist with obtaining, documenting, and managing consumers’ consent. This would include, for example, background checks and report usage, as for employment purposes.

The FCRA covers data that is considered sensitive under many privacy laws, so achieving and maintaining FCRA compliance is likely to overlap with requirements of other data privacy laws across US states and some federal laws.

A consent management platform (CMP) can also help with providing consumers with transparency about data collection and use, so they know what credit-related data will be collected, how it may be used, and what parties may have access to it.

A CMP and data subject request management can also help with consumer inquiries and disputes, as well as providing consumers with notifications of the outcome of disputes, e.g. when data has been corrected.

In an increasingly digital economy, more and more sensitive data will be created and made available for use in significant decision-making. Companies need to be educated and very careful about what information they collect, maintain, and share, depending on their line of business.

Best practices like clear and legally viable processing purposes, regular data audits, ongoing staff training, security measures like access controls, clear notifications to consumers, and minimization of data collected all help companies to maintain security and consumer trust along with regulatory compliance.

William Newmark
Read more
Learn more

Frequently asked questions

What is the Fair Credit Reporting Act?

The Fair Credit Reporting Act (FCRA) is a US federal law in effect since 1970 to promote accuracy, fairness, and privacy in the collection and use of consumer credit information. It governs how credit reporting agencies (CRAs) collect, access, use, and share the data in consumers’ credit reports, and it gives individuals the right to know what information is in their reports, dispute inaccuracies, and request corrections. The FCRA also regulates who can access credit reports and under what circumstances, ensuring that such access is limited to those with a legitimate need, such as lenders, employers (with consent), landlords, and insurers.

What is the purpose of the Fair Credit Reporting Act?

The purpose of the Fair Credit Reporting Act is to help ensure that American consumers’ credit information is accessed and used accurately and fairly, and that privacy is maintained. It provides consumers with rights and companies with restrictions and obligations for how credit information is collected and used.

When was the Fair Credit Reporting Act passed?

The Fair Credit Reporting Act was passed and enacted in the United States in 1970.

What are my rights under the Fair Credit Reporting Act?

FCRA rights for consumers include obtaining a free copy of their credit report annually or if the information is used for an adverse action. They can dispute inaccurate or incomplete information and have it corrected or deleted. They can limit access to their credit information and the inclusion of some kinds of data in the report. They can freeze their credit report for security and add a fraud alert in case of an issue like identity theft. They can sue for damages for FCRA violations, and they can opt out of unsolicited offers based on their credit report.

What is a Fair Credit Reporting Act disclosure?

A Fair Credit Reporting Act disclosure is a formal statement provided to a consumer that explains the type of information being collected about them by a consumer reporting agency (CRA), how that information is used, and the consumer’s rights under the FCRA. This disclosure is typically required when an entity, such as an employer, landlord, or lender, intends to obtain a consumer report for purposes like employment screening or credit evaluation.

How often can I get a free credit report?

Consumers can get a free copy of their credit report once every 12 months from each nationwide credit reporting agency. If a decision has been made based on their report that resulted in adverse action, they can also get a free copy of the report then.

How do I dispute information on my credit report?

Consumers can contact the CRA that provided the report and lodge a dispute about inaccurate or incomplete information. The CRA then has 30 days (45 in some cases) to investigate and correct or delete the information.

Can I sue a credit bureau for inaccurate information?

Typically a consumer can notify a credit bureau of inaccurate information and the bureau then has 30 days to investigate and correct or delete the information if it is found to be inaccurate. However, if there is willful noncompliance, like the bureau refuses to correct information or outdated information is not deleted, it’s possible that a consumer can sue.

How long does negative information stay on my credit report?

Typically negative information must be removed from a credit report after seven years, or ten years in the case of a bankruptcy.

What are FCRA compliance requirements for furnishers?

Under the FCRA, furnishers are required to ensure the information they collect and report is accurate. They have to establish and maintain policies and procedures to ensure data accuracy and correct handling of disputes. If notified that previously reported information is incomplete or inaccurate, furnishers must promptly update, correct, or delete that information. Furnishers must also investigate any disputes reported to them by a CRA, review relevant information, and report back to the CRA.

How do companies comply with the FCRA?

It depends what the company’s role is, but companies subject to the FCRA must ensure accuracy, transparency, privacy, and security of consumers’ information and credit reports. They must cooperate with regulatory authorities for investigations. They must investigate disputes promptly and correct or delete information if necessary. Information can only be disclosed for permissible purposes, and users must certify a legitimate purpose for requesting and accessing credit reports. Consumer consent must be obtained for specific uses of their information, and consumers must also be notified about adverse actions based on their credit reports.

What is an adverse action under the FCRA?

An adverse action is any decision that negatively affects a consumer that is made in whole or in part based on information from a consumer report. This can encompass a range of sectors and outcomes, including: denial or revocation of credit, or denial or cancellation of insurance coverage, denial of employment.

What is a permissible purpose under the FCRA?

Under the FCRA, a permissible purpose is somewhat similar to legal bases for data processing under the GDPR. These purposes are specific and legally authorized reasons that a CRA may provide a consumer report to a third party. They include, but are not limited to: explicit consumer request; for legitimate business need in conjunction to a business transaction that the consumer initiated; in response to a court order; for various credit, employment, insurance, or other functions involving the consumer and with their consent.

Article
Jul 1, 2025
Consumer trust is becoming harder to earn and keep. Usercentrics’ new study reveals consumers’ demands for control and accountability. We also provide guidance on how to be transparent and build long-term trust with Privacy-Led Marketing strategies.
Read more
Article
Jun 25, 2025
The California Invasion of Privacy Act (CIPA) has been around for decades, passed to protect confidential communications and requiring consent for monitoring and recording. Updates to tracking technology have kept it relevant. We look at CIPA’s requirements, consumers’ rights, and more.
Read more
Article
Jun 17, 2025
Read more