The Fair Credit Reporting Act's adverse action and accuracy obligations apply fully to AI-driven credit decisions — algorithmic complexity is not an excuse.
The Fair Credit Reporting Act (FCRA), enacted in 1970, is one of the oldest and most important consumer protection laws governing the use of credit information in the United States. For banks and financial institutions, FCRA compliance is essential to the core function of lending. FCRA governs how banks access credit reports, how they use information from those reports to make credit decisions, and critically, how they must treat consumers when those decisions go against them. In the age of artificial intelligence and machine learning, FCRA takes on even greater importance because many of the concepts FCRA established in 1970 — like accurate reporting and proper adverse action notice — now intersect directly with algorithmic decision-making. The Consumer Financial Protection Bureau (CFPB) has made clear that complexity in AI does not excuse compliance with FCRA obligations, and enforcement actions have begun targeting lenders whose AI systems fail to provide adequate adverse action notices or whose algorithms discriminate based on protected class status.
FCRA is a comprehensive law that regulates consumer reporting agencies (CRAs), furnishers of credit information, and users of credit reports. The law serves two core purposes: to ensure that information in credit reports is as accurate as possible and to regulate how credit information can be used to make decisions about consumers. FCRA is critical in lending because credit reports are often the most important document in credit decisions. A credit report compiles a consumer's credit history, payment behavior, outstanding debts, credit inquiries, and public records into a single document that enables lenders to quickly assess creditworthiness. Because credit reports are so consequential, FCRA imposes strict accuracy and dispute resolution obligations on the entities that maintain them (CRAs) and the entities that provide data to them (furnishers).
For banks using AI to supplement, automate, or replace traditional credit analysis, FCRA remains directly applicable. If a bank uses a credit report in making a credit decision (whether the bank is the only input or one of many), FCRA obligations attach. If the bank then denies credit or makes an adverse change to credit terms, FCRA requires the bank to provide the consumer with an adverse action notice explaining why. This requirement has not changed with the advent of AI, but the CFPB has clarified that algorithms and machine learning do not create an exception to this requirement.
FCRA divides the credit ecosystem into three categories of actors, each with distinct obligations. Consumer reporting agencies (CRAs) are entities that maintain credit files on consumers and sell credit reports to third parties. The major CRAs are Equifax, Experian, and TransUnion, but the term also includes specialty CRAs that report on payment history, rental history, utility payment history, or employment verification. Furnishers are entities that provide credit information to CRAs. Banks are furnishers when they report customer payment history, account balances, and defaults to the major CRAs. Users are entities that access and use credit reports to make decisions about consumers. Banks are also users when they pull credit reports in making lending decisions.
The distinction matters because each category has different compliance obligations. CRAs must maintain procedures to ensure that the information in credit files is accurate and timely, must investigate disputes, and must follow strict notice and disclosure procedures. Furnishers must provide accurate information to CRAs and must investigate disputes from consumers about information the furnisher has provided. Users must ensure that they use credit reports only for permissible purposes, must provide adverse action notices when they take adverse action, and must ensure that their use of credit information complies with other laws (particularly ECOA and fair lending laws).
FCRA's accuracy and dispute resolution framework is central to consumer protection. Both CRAs and furnishers must maintain procedures to ensure accuracy. If a CRA or furnisher determines that information it maintains or furnishes is not complete or accurate, it must correct or delete that information. If a consumer disputes information in their credit file, the consumer can submit a dispute to the CRA or, under FCRA Section 611 as updated, directly to the furnisher.
When a CRA receives a dispute, the CRA must conduct a reasonable investigation within 30 days (extendable to 45 days under certain circumstances). A reasonable investigation requires the CRA to examine sufficient evidence to determine whether the disputed information is accurate. If the CRA cannot verify that information is accurate, the CRA must delete or correct that information. Additionally, if the CRA discovers that information is inaccurate or incomplete, the CRA must notify all furnishers who have provided that information of the correction.
Furnishers face parallel obligations. When a furnisher receives notice from a CRA that a consumer disputes information, the furnisher must investigate the disputed information, provide all relevant information to the CRA for the CRA's investigation, and report the results to the CRA within 30 days (with a possible 15-day extension). If the furnisher cannot affirmatively verify that it has accurately reported the disputed information, the furnisher must modify, delete, or block the reporting of that information. The CFPB has emphasized that furnishers cannot simply ignore disputes or require consumers to provide specific formats, documentation, or attachments beyond what FCRA and its implementing regulations permit.
The consequences of failure are substantial. Consumers have the right to sue CRAs and furnishers for violations of accuracy and dispute investigation obligations. Class actions are possible, and damages include actual damages (such as credit harm), statutory damages (if a violation is willful), and attorney's fees.
One of FCRA's most critical requirements is the adverse action notice obligation. When a creditor takes adverse action based in whole or in part on information in a credit report, the creditor must provide the consumer with a notice explaining the action, the fact that the action was influenced by the credit report, the name and address of the CRA that provided the report, and the specific reason(s) why the credit was denied or terms were changed. The notice must be clear and specific. A consumer must be able to read the notice and understand exactly why they were denied credit or why their rate was increased.
For banks using AI to make credit decisions, this requirement creates a critical intersection between FCRA and AI governance. If a bank's algorithm denies a loan application, the bank must still provide an accurate, understandable adverse action notice. The CFPB has issued guidance making clear that the complexity of an algorithm does not excuse this requirement. A lender cannot simply reference a model name or say that the applicant did not meet the lender's internal standards without providing the specific reason. If the model incorporated credit report data, the lender must explain how that credit data contributed to the decision. If the model incorporated other factors (income, employment history, assets, debt-to-income ratio), the notice must explain what those factors were and how they influenced the outcome.
The notice must be provided within a specific timeframe. For applications, the notice must be provided within 30 days of the adverse action decision. The notice must be in writing and in clear, plain language. A consumer must be able to dispute information they believe is inaccurate in light of the adverse action notice, and the lender must facilitate that dispute.
FCRA strictly limits the purposes for which credit reports can be accessed. Creditors can pull credit reports for credit decisions, credit monitoring, prescreening for offers, and other specified purposes, but cannot pull reports simply because a consumer has applied for a job with the bank, for general background checks, or for marketing purposes (with narrow exceptions). Banks must have written policies addressing permissible purposes and must ensure that employees access credit reports only for permissible purposes.
For banks deploying AI systems, this creates a governance question: if a bank is using historical credit data to train a machine learning model that will be used to assess creditworthiness, is that use a permissible purpose? The answer is complicated. If the bank is using the data for model development in support of a permissible purpose (like improving credit decision-making), the use may be permissible. If the bank is using credit data to develop a scoring model for other purposes (like marketing or employee assessment), the use may violate FCRA. Banks must ensure that their data governance and AI development practices align with FCRA permissible purposes.
The rise of AI in credit scoring has created new compliance challenges under FCRA. Traditional credit scoring relies on credit report data, income, employment, and debt obligation. AI-driven credit scoring can incorporate alternative data: utility payment history, rental payment history, bank transaction history, education, income level inferred from transaction patterns, and other non-traditional data sources. Some alternative data sources are regulated under FCRA as credit reports (for example, consumer reports about utility payments or rental history). Other alternative data sources may not be regulated as credit reports but may be regulated as consumer information under other laws.
Banks using alternative data must ensure that any alternative data source that functions as a credit report is obtained from a compliant CRA or directly from the consumer, and that the same adverse action notice obligations apply. If a bank denies credit based partly on alternative data not derived from a credit report, the bank should clearly disclose that fact in the adverse action notice and explain how that alternative data influenced the decision. This transparency is essential for FCRA compliance and also serves the broader fair lending and consumer protection goals that alternative credit scoring is meant to advance.
The CFPB has broad enforcement authority under FCRA and has been increasingly active in prosecuting violations related to credit decision-making and adverse action notices. The CFPB has issued guidance on providing adverse action notices when using AI or complex models, making clear that lenders cannot hide behind algorithm complexity. The CFPB's guidance states that a creditor should "ensure that the information in an adverse action notice is accurate and explains the material factors relating to the applicant's creditworthiness that negatively affected the credit decision." This requirement applies whether the decision was made by a human or by an algorithm.
FCRA violations carry significant penalties. For CRAs and furnishers, civil penalties can range from $100 to $1,000 per consumer per violation in the case of willful violations. Negligent violations are subject to actual damages only (the harm to the consumer from inaccurate reporting), which can be substantial if the inaccuracy resulted in a loan denial or higher interest rate. For creditors (including banks), willful violations of adverse action notice requirements or other creditor obligations under FCRA can result in statutory damages, actual damages, and attorney's fees. Class actions are common, and settlements have reached hundreds of millions of dollars.
Additionally, violations of FCRA can trigger violations of fair lending laws (ECOA and the Fair Housing Act) because inaccurate credit reporting or improper adverse action notices can mask or facilitate discrimination. A bank that fails to provide a specific adverse action notice may inadvertently create evidence that its credit decision was based on protected class status rather than legitimate credit factors.
Corvair helps financial institutions manage FCRA compliance in the context of AI-driven credit decision-making. Our platform supports adverse action notice generation that accurately reflects both credit report factors and AI model factors, ensuring that notices are specific, accurate, and compliant with CFPB guidance. For institutions managing credit data used in AI training, Corvair provides data governance tools to ensure permissible purposes are documented and maintained, and that historical credit data used in model development is properly secured and subject to appropriate access controls. Corvair also helps institutions generate dispute investigation workflows that comply with FCRA's reasonable investigation standard.
Schedule a BriefingEqual credit opportunity requirements that apply alongside FCRA in every AI-driven credit decision.
Read guideCalifornia privacy rules that supplement FCRA obligations for consumer credit data handling.
Read guideThe foundational federal financial privacy framework that governs NPI alongside FCRA credit data rules.
Read guide