But the advantage of knowledge is that wisdom
preserves the lives of its possessors.
By clicking "Accept" below you are agreeing to these terms and conditions.

All users of consumer reports must comply with all applicable regulations, including regulations
promulgated after this notice was first prescribed in 2004. Information about applicable regulations
currently in effect can be found at the Consumer Financial Protection Bureau’s website,


The Fair Credit Reporting Act (FCRA), 15 U.S.C. §1681-1681y, requires that this notice be provided to inform users of
consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is
set forth in full at the Bureau of Consumer Financial Protection’s website at www.consumerfinance.gov/learnmore.
At the end of this document is a list of United States Code citations for the FCRA. Other information about user
duties is also available at the Bureau’s website. Users must consult the relevant provisions of the FCRA for
details about their obligations under the FCRA.
The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer
reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or
that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to
a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA
describing your duties as a furnisher.
A. Users Must Have a Permissible Purpose
Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible
purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under
the law. These are:
• As ordered by a court or a federal grand jury subpoena. Section 604(a)(1)
• As instructed by the consumer in writing. Section 604(a)(2)
• For the extension of credit as a result of an application from a consumer, or the review or collection of a
consumer’s account. Section 604(a)(3)(A)
• For employment purposes, including hiring and promotion decisions, where the consumer has given
written permission. Sections 604(a)(3)(B) and 604(b)
• For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
• When there is a legitimate business need, in connection with a business transaction that is initiated by the
consumer. Section 604(a)(3)(F)(i)
• To review a consumer’s account to determine whether the consumer continues to meet the terms of the
account. Section 604(a)(3)(F)(ii)
• To determine a consumer’s eligibility for a license or other benefit granted by a governmental
instrumentality required by law to consider an applicant’s financial responsibility or status. Section
• For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or
prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)
• For use by state and local officials in connection with the determination of child support payments, or
modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5)
In addition, creditors and insurers may obtain certain consumer report information for the purpose of making
“prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of
“prescreened” information are described in Section VII below.
B. Users Must Provide Certifications
Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA)
unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and
certifies that the report will not be used for any other purpose.
C. Users Must Notify Consumers When Adverse Actions Are Taken
The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and
employment actions affecting consumers that can be considered to have a negative impact as defined by Section
603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No
adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the
1. Adverse Actions Based on Information Obtained From a CRA
If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information
contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be
done in writing, orally, or by electronic means. It must include the following:
• The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a
nationwide CRA) that provided the report.
• A statement that the CRA did not make the adverse decision and is not able to explain why the decision
was made.
• A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the
CRA if the consumer makes a request within 60 days.
• A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or
completeness of any information provided by the CRA.
2. Adverse Actions Based on Information Obtained From Third Parties Who Are Not Consumer
Reporting Agencies
If a person denies (or increases the charge for) credit for personal, family, or household purposes based either
wholly or partly upon information from a person other than a CRA, and the information is the type of consumer
information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the
consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a
written request within 60 days of notification. The user must provide the disclosure within a reasonable period of
time following the consumer’s written request.
3. Adverse Actions Based on Information Obtained From Affiliates
If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the
consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity
affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to
notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a
disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the
adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information
not later than 30 days after receiving the request. If consumer report information is shared among affiliates and
then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.
D. Users Have Obligations When Fraud and Active Duty Military Alerts are in Files
When a consumer has placed a fraud alert, including one relating to identify theft, or an active duty military alert
with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes
limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the
establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty
alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the
identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of
extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in
the consumer’s alert.
E. Users Have Obligations When Notified of an Address Discrepancy
Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the
address for a consumer provided by the user in requesting the report is substantially different from the addresses in
the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed,
which will be issued by the Consumer Financial Protection Bureau and the banking and credit union regulators.
The Consumer Financial Protection Bureau regulations will be available at www.consumerfinance.gov/learnmore/.
F. Users Have Obligations When Disposing of Records
Section 628 requires that all users of consumer report information have in place procedures to properly dispose of
records containing this information. The Consumer Financial Protection Bureau, the Securities and Exchange
Commission, and the banking and credit union regulators have issued regulations covering disposal. The Consumer
Financial Protection Bureau regulations may be found at www.consumerfinance.gov/learnmore/.
If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit
to a consumer on material terms that are materially less favorable than the most favorable terms available to a
substantial proportion of consumers from or through that person, based in whole or in part on a consumer report,
the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the
Consumer Financial Protection Bureau.
Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property
(one to four units) and that use credit scores. These persons must provide credit scores and other information about
credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan
A. Employment Other Than in the Trucking Industry
If the information from a CRA is used for employment purposes, the user has specific duties, which are set forth in
Section 604(b) of the FCRA. The user must:
• Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a
document that consists solely of the disclosure, that a consumer report may be obtained.
• Obtain from the consumer prior written authorization. Authorization to access reports during the term of
employment may be obtained at the time of employment.
• Certify to the CRA that the above steps have been followed, that the information being obtained will not
be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse
action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s
rights will be provided to the consumer.
Before taking an adverse action, the user must provide a copy of the report to the consumer as well as
the summary of consumer’s rights (The user should receive this summary from the CRA.) A Section 615(a)
adverse action notice should be sent after the adverse action is taken.
An adverse action notice also is required in employment situations if credit information (other than transactions and
experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2).
The procedures for investigative consumer reports and employee misconduct investigations are set forth below.
B. Employment in the Trucking Industry
Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is
by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an
adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report
relied upon by the trucking company by contacting the company.
Investigative consumer reports are a special type of consumer report in which information about a consumer’s
character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by
an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given
special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the
• The user must disclose to the consumer that an investigative consumer report may be obtained. This
must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time
before or not later than three days after the date on which the report was first requested. The disclosure
must include a statement informing the consumer of his or her right to request additional disclosures of the
nature and scope of the investigation as described below, and the summary of consumer rights required by
Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the
• The user must certify to the CRA that the disclosures set forth above have been made and that the user
will make the disclosure described below.
• Upon the written request of a consumer made within a reasonable period of time after the disclosures
required above, the user must make a complete disclosure of the nature and scope of the investigation.
This must be made in a written statement that is mailed or otherwise delivered, to the consumer no later
than five days after the date on which the request was received from the consumer or the report was first
requested, whichever is later in time.
Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for
compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and
compliance with written policies of the employer. These investigations are not treated as consumer reports so long
as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the
nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.
Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment
information that appears in a coded form that does not identify the medical provider). If the information is to be
used for an insurance transaction, the consumer must give consent to the user of the report or the information must
be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except
as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific
written consent and the medical information must be relevant. Any user who receives medical information shall not
disclose the information to any other person (except where necessary to carry out the purpose for which the
information was disclosed, or a permitted by statute, regulation, or order).
The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with
unsolicited offers of credit or insurance under certain circumstances. Sections 603(1), 604(c), 604(e), and 614(d).
This practice is known as “prescreening” and typically involves obtaining a list of consumers from a CRA who meet
certain preestablished criteria. If any person intends to use prescreened lists, that person must (1) before the offer
is made, establish the criteria that will be relied upon to make the offer and grant credit or insurance, and (2)
maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each
consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:
• Information contained in a consumer’s CRA file was used in connection with the transaction.
• The consumer received the offer because he or she satisfied the criteria for credit worthiness or
insurability used to screen for the offer.
• Credit or insurance may not be extended if, after the consumer responds, it is determined that the
consumer does not meet the criteria used for screening or any applicable criteria bearing on credit
worthiness or insurability, or the consumer does not furnish required collateral.
The consumer may prohibit the use of information in his or her file in connection with future prescreened
offers of credit or insurance by contacting the notification system established by the CRA that provided the
report. The statement must include the address and toll-free telephone number of the appropriate
notification system.
In addition, the Consumer Financial Protection Bureau has established the format, type size, and manner of the
disclosure required by Section 615(d), with which users must comply. The regulation is 12 CFR 1022.54.
A. Disclosure and Certification Requirements
Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:
• Disclose the identity of the end-user to the source CRA.
• Identify to the source CRA each permissible purpose for which the report will be furnished to the end-user.
• Establish and follow reasonable procedures to ensure that reports are resold only for permissible
purposes, including procedures to obtain:
(1) the identify of all end-users;
(2) certifications from all users of each purpose for which reports will be used; and
(3) certifications that reports will not be used for any purpose other than the purpose(s) specified to the
reseller. Resellers must make reasonable efforts to verify this information before selling the report.
B. Reinvestigations by Resellers
Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a
reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or
delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any
CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to
the consumer.
C. Fraud Alerts and Resellers
Section 605A(f) requires resellers who receive fraud alerts or active duty alerts from another consumer reporting
agency to include these in their reports.
Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well
as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a
consumer report under false pretenses may face criminal prosecution. Section 619.
The Consumer Financial Protection Bureau website, www.consumerfinance.gov/learnmore, has more
information about the FCRA.
Citations for FCRA sections in the U.S. Code, 15 U.S.C. § 1618 et seq.:
Section 603
15 U.S.C. 1681
15 U.S.C. 1681a
Section 604 15 U.S.C. 1681b
Section 605 15 U.S.C. 1681c
Section 605A 15 U.S.C. 1681c-1
Section 605B 15 U.S.C. 1681c-2
Section 606 15 U.S.C. 1681d
Section 607 15 U.S.C. 1681e
Section 608 15 U.S.C. 1681f
Section 609 15 U.S.C. 1681g
Section 610 15 U.S.C. 1681h
Section 611 15 U.S.C. 1681i
Section 612 15 U.S.C. 1681j
Section 613 15 U.S.C. 1681k
Section 614 15 U.S.C. 1681l
Section 615 15 U.S.C. 1681m
Section 616 15 U.S.C. 1681n
Section 617 15 U.S.C. 1681o
Section 618 15 U.S.C. 1681p
Section 619 15 U.S.C. 1681q
Section 620 15 U.S.C. 1681r
Section 621 15 U.S.C. 1681s
Section 622 15 U.S.C. 1681s-1
Section 623 15 U.S.C. 1681s-2
Section 624 15 U.S.C. 1681t
Section 625 15 U.S.C. 1681u
Section 626 15 U.S.C. 1681v
Section 627 15 U.S.C. 1681w
Section 628 15 U.S.C. 1681x
Section 629 15 U.S.C. 1681y

FCRA Requirements
Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. We suggest that you and your employees become familiar with the following sections in particular:
 § 604. Permissible Purposes of Reports
 § 607. Compliance Procedures
 § 615. Requirement of users of consumer reports
 § 616. Civil liability for willful noncompliance
 § 617. Civil liability for negligent noncompliance
 § 619. Obtaining information under false pretenses
 § 621. Administrative Enforcement
 § 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies
 § 628. Disposal of Records
As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes. In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted.
As a prospective user of consumer reports, we require that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.
People Check by Gana, LLC strongly endorses the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce. We support consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information.
We encourage you to view these laws on the Federal Trade Commission’s web site at: www.ftc.gov.
Access Security Requirements
We must work together to protect the privacy and information of consumers. The following information security measures are designed to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. Capitalized terms used herein have the meaning given in the Glossary attached hereto. The credit reporting agency reserves the right to make changes to Access Security Requirements without notification. The information provided herewith provides minimum baselines for information security. In accessing the credit reporting agency’s services, you agree to follow these security requirements:
1. Implement Strong Access Control Measures
1.1 Do not provide your credit reporting agency Subscriber Codes or passwords to anyone. No one from the credit reporting agency will ever contact you and request your Subscriber Code number or password.
1.2 Proprietary or third party system access software must have credit reporting agency Subscriber Codes and password(s) hidden or embedded. Account numbers and passwords should be known only by supervisory personnel.
1.3 You must request your Subscriber Code password be changed immediately when: any system access software is replaced by another system access software or is no longer used; the hardware on which the software resides is upgraded, changed or disposed of
1.4 Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s).
1.5 Create a separate, unique user ID for each user to enable individual authentication and accountability for access to the credit reporting agency’s infrastructure. Each user of the system access software must also have a unique logon password.
1.6 Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users’ profiles.
1.7 Keep user passwords Confidential.
1.8 Develop strong passwords that are: Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters); Contain a minimum of seven (7) alpha/numeric characters for standard user accounts
1.9 Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations.
1.10 Active logins to credit information systems must be configured with a 30 minute inactive session, timeout.
1.11 Restrict the number of key personnel who have access to credit information.
1.12 Ensure that authorized personnel with access to credit information have a business need to access information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application.
1.13 Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
1.14 Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
1.15 After normal business hours, turn off and lock all devices or systems used to obtain credit information.
1.16 Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information.
2. Maintain a Vulnerability Management Program
2.1 Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.
2.2 Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2.3 Implement and follow current best security practices for Computer Virus detection scanning services and procedures:
 Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks.
 If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
 On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files.
2.4 Implement and follow current best security practices for computer anti-Spyware scanning services and procedures:
 Use, implement and maintain a current, commercially available computer anti-Spyware scanning product on all computers, systems and networks.
 If you suspect actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated.
 Run a secondary anti-Spyware scan upon completion of the first scan to ensure all Spyware has been removed from your computers.
 Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files weekly, at a minimum. If your company’s computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly.
3. Protect Data
3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.) All credit reporting agency
3.2 data is classified as Confidential and must be secured to this requirement at a minimum.
3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
3.4 Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum.
3.5 Only open email attachments and links from trusted sources and after verifying legitimacy.
4. Maintain Information Security Policy
4.1 Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule.
4.2 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators.
4.3 The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
4.4 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization.
5. Build and Maintain a Secure Network
5.1 Protect Internet connections with dedicated, industry-recognized Firewalls configured and managed using industry best security practices.
5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
5.3 Administrative access to Firewalls and servers must be performed through a secure internal wired connection only.
5.4 Any stand alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
5.5 Encrypt Wireless access points with a minimum of WEP 128 bit encryption, WPA encryption where available.
5.6 Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point. systems (port scanning, virus scanning, vulnerability scanning).
6. Regularly Monitor and Test Networks
6.1 Perform regular tests on information systems (port scanning, virus scanning, vulnerability scanning.)
6.2 Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by protecting against intrusions; securing the computer systems and network devices; and protecting against intrusions of operating systems or software.
Record Retention: Subscriber will maintain copies of all written authorizations for a minimum of five (5) years from the date of inquiry. Additionally, The Federal Equal Opportunities Act states that a creditor must preserve all written or recorded information connected with an application for 25 additional months. The credit reporting agency requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 7.1 years. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. When conducting an investigation, particularly following a consumer complaint, that subscriber impermissibly accessed their credit report, MCB/Experian will contact subscriber, request a copy of the original application signed by the consumer and, if applicable, a copy of the sales contract. “Under Section 621(a)(2)(A) of the FCRA, any person that violates provisions of the FCRA may be liable for a civil penalty of not more than $2500 per violation.”

Get a Free Quote
Copyright (c) 2003 - 2023 PCG Screening Services, LLC