Credit Work Group Recommendation

(1)

Credit Work Group Recommendation

To: Credit Work Group

From: Mike Bixby – (305) 829-5549 –[email protected]

Paul Wills – (770) 740-7353 –[email protected]

Date: October 7, 2004

Re:

FACT Act Implications and Recommendations

THIS MISMO STANDARD INCLUDES THE END USER LICENSE AGREEMENT ATTACHED HERETO AT http://www.mismo.org/mismo/pdf/ipr_policy.pdf AND IS GOVERNED BY AND SUBJECT TO THE END USER LICENSE AGREEMENT. NO USER OF THIS STANDARD MAY REMOVE THIS REFERENCE TO AND STATEMENT REGARDING THE END USER LICENSE. ANY HARD COPY PUBLICATION OF THIS STANDARD MUST INCLUDE AND ATTACH A HARD COPY PRINT OUT OFTHE END USER LICENSE. ANY FURTHER ELECTRONIC DISTRIBUTION OF THIS STANDARD MUST INCLUDE A SPECIFIC REFERENCED LINK TO THE END USER LICENSE AGREEMENT OR OTHER MEANS OF ATTACHMENT OF THE END USER LICENSE AGREEMENT.

I. Overview

This Document

The Fair and Accurate Credit Transactions Act of 2003 (the FACT Act or FACTA) was signed into law in December 2003. As an amendment to the Federal Fair Credit Reporting Act (FCRA), it contains a number of provisions which affect the reporting of credit data to the mortgage lending community.

This document serves three purposes:

1. It discusses the impact of the FACT Act on the credit reporting data that is defined by the MISMO Credit Reporting data standards, and

2. It proposes recommendations for standardizing the syntax used in FACT Act Alert messages by the credit bureaus that use the existing MISMO v1.x, v2.x and X12 formats. These recommendations will allow lenders to be able to detect the FACT Act messages properly, and then take the appropriate actions that are defined in the FACT Act. It is a guide to technology professionals to assist them in their programming efforts to support the FACT Act messages, and

(2)

This document is not meant to be a used as a recommendation on lender compliance with the FACT Act. Compliance with the FACT Act should be discussed with your company’s management and legal counsel.

ONLY those provisions of the FACT Act, which will require changes to XML data, will be addressed. There are numerous other provisions of the Act that do not impact XML or merged credit providers or customers.

II. FACT Act Provisions

There are 4 FACT Act provisions that directly affect the XML representation. These are:  5th_{reason code on Credit Risk scores}

 Fraud Alerts  Active Duty Alert

 Address Discrepancy Indicator

Each of these sections will be discussed, and a sample MISMO Version 2.x XML, MISMO 1.x XML, and X12-200 Transaction fragments will be provided.

A. 5

th

Reason Code – When Inquiries Affect Credit Scores

Overview – What the Law Says

When a consumer reporting agency (a credit repository or a mortgage reporting company) provides credit scores for mortgage purposes to mortgage lenders or

mortgage arrangers/brokers, the consumer reporting agency must include a statement regarding the role of inquiries in the score if the number of inquiries adversely affected the score – even if the number of inquiries was not one of the top four reason codes. This information about the role of inquiries, commonly referred to as the “5th reason code”, enables mortgage lenders and mortgage arrangers to meet their FACT Act obligation to disclose credit scores and information about credit scores, including the 5th reason code, to consumers.

XML Implementation

The MISMO XML credit response format has always had a separate element for “alert” messages. This message type indicates that there is something in the credit file that the user of the credit file should take note of and possibly take some type of action. When the risk score value has been adversely affected by credit inquiries in the credit file, this condition can be indicated by an alert message. The presence of this message will indicate that to the lender or broker that a disclosure to the consumer regarding the score value may be needed under the FACT Act.

(3)

MISMO Version 2.3.1 Example

For MISMO 2.3.1, the FACTA alert related to the Risk Score Value is reported both as a Credit File Alert Message with a CategoryType=“FACTARiskScoreValue” attribute, and in the Credit Score element as a FACTAInquiriesIndicator=“Y” attribute.

<CREDIT_RESPONSE>

<CREDIT_FILE CreditFileID="B-XP-01" BorrowerID="BOR01" CreditRepositorySourceType="Experian"> <_ALERT_MESSAGE _Code="08" _CategoryType="FACTARiskScoreValue">

<_Text>FACTA: Risk Score Value - The Experian Fair Isaac Risk Score Value was adversely affected by credit inquiries present in the credit file.</_Text>

</_ALERT_MESSAGE> </CREDIT_FILE>

<CREDIT_SCORE CreditScoreID="CRScr0000" BorrowerID="BOR01" CreditFileID="CB01"

CreditReportIdentifier="48AP76" CreditRepositorySourceType="Equifax" _ModelNameType="EquifaxBeacon" _Value="685" FACTAInquiriesIndicator="Y">

<_FACTOR _Code="39" _Text="SERIOUS DELINQUENCY"/>

<_FACTOR _Code="18" _Text="NUMBER OF ACCOUNTS WITH DELINQUENCY"/>

<_FACTOR _Code="11" _Text="AMOUNT OWED ON REVOLVING ACCOUNTS IS TOO HIGH "/> <_FACTOR _Code="2" _Text="LEVEL OF DELINQUENCY ON ACCOUNTS"/>

</CREDIT_SCORE> </CREDT_RESPONSE>

MISMO Version 1.x Example

<Message>FACTA: Risk Score Value - The Experian Fair Isaac Risk Score Value was adversely affected by credit inquiries present in the credit file.</Message>

</CREDITFILEALERTMESSAGE>

X12 200 VAR-NTE (2/710) Segment Example

Here is an X12 200 example of a VAR-NTE (2/710) RISK SCORE VALUE ALERT Message Segment. NTE-01 is set to CRA – Credit Report Alert. Text Length of NTE-02 cannot exceed 80 characters:

NTE~CRA~FACTA: Risk Score Value – Credit Inquiries adversely affected the score value.

What Users Must Do

Users must program to generate the FACTA Risk Score Value ALERT MESSAGE when they receive an indication from the repository bureau for the “5th reason code”.

(4)

B. FRAUD ALERTS

OVERVIEW – What the Law Says

Initial Fraud Alerts: Upon the request of a consumer who believes they have been or

are about to become a victim of fraud, including identity theft, a credit repository (national consumer reporting agency) that maintains a file on the consumer and has received appropriate proof of identity shall include a fraud alert in the file of that

consumer, and provide that alert along with any credit score generated in using that file, for 90 days. If the consumer provides their contact information, the credit repository must provide this information along with the initial fraud alert to any credit report users.

Extended Fraud Alerts: Upon the request of a consumer who submits an identity theft

report to a credit repository (national consumer reporting agency) that maintains a file on the consumer and has received appropriate proof of identity shall include a fraud alert in the file of that consumer, and provide that alert along with any credit score generated in using that file, for 7 years. The consumer is also to provide their contact information and the credit repository must provide it along with the extended fraud alert to any credit report users.

Summarizing, as of December 1, 2004, credit repositories must maintain a status of:  fraud to consumer credit files

 Includes initial 90-day fraud alert, extended 7-year fraud alert  Additional Contact information (consumer contact information)

Mortgage reporting companies that receive the Initial Fraud Alerts and Extended Fraud Alerts from credit repositories must re-convey these alerts and the consumer contact information to users of their mortgage reports.

XML Implementation

Each credit repository is implementing these alert requirements a little differently. We recommend passing the information in the _ALERT_MESSAGE container of the CREDIT_FILE parent.

The additional contact information could be sent in CREDIT_COMMENT sections of the report. See below for a sample.

All the text messages will begin with: FACTA: Fraud Victim Initial –, or FACTA: Fraud

(5)

NOTE: This particular ALERT MESSAGE element also contains additional _Text elements that may be used for reporting the consumer contact information.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”V”>

<_Text>FACTA: Fraud Victim Initial – Consumer is a victim of fraudulent activity. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</_Text>

<_Text>Consumer Name: Joe Consumer</Text>

<_Text>Consumer Address: 234 15th ST, Atlanta, GA</Text> <_Text>Consumer Phone: 555-4444</Text>

For MISMO 2.3.1, the FACTA Fraud Victim alert is reported as a Credit File Alert Message with either a CategoryType=“FACTAFraudVictimInitial” attribute or a CategoryType=“FACTAFraudVictimExtended” attribute.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”V” _CategoryType=”FACTAFraudVictimInitial” >

<_Text>FACTA: Fraud Victim Initial – Consumer is a victim of fraudulent activity. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</_Text>

<Message>FACTA: Fraud Victim Initial – Consumer is a victim of fraudulent activity. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</Message>

Here is an X12 200 example of a VAR-NTE (2/710) FRAUD VICTIM ALERT Message Segment. NTE-01 is set to CRA – Credit Report Alert. Text Length of NTE-02 cannot exceed 80 characters:

NTE~CRA~FACTA: Fraud Victim Initial – Consumer is a victim of fraudulent activity.

What Users Must Do

Begin programming

Users of mortgage credit reports must program to receive and appropriately handle each of the alerts that the credit repositories will provide and that mortgage reporting companies will re-convey. Users must program to receive and appropriately handle consumer contact information that is reported.

(6)

Take note of User Requirements for Alerts and Consumer Contact Information. Initial Fraud Alerts: No User of a consumer report or a mortgage credit report that

includes an initial fraud alert may establish a new credit plan or extension of credit, other than an open-end credit plan, in the name of the consumer, or grant any increase in credit limit on existing account requested by a consumer, unless the User forms a reasonable belief that they know the identity of the person making the request.

If the consumer has provided a telephone number or other contact information, before authorizing any new credit plan or extension of credit described above, the User shall contact the consumer using that telephone number or take reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan is not the result of identity theft.

Extended Fraud Alerts: No User of a consumer report or a mortgage credit report that

includes an extended fraud alert may establish a new credit plan or extension of credit, other than under an open-end credit plan, in the name of the consumer, or any increase in credit limit on an existing credit account requested by a consumer, unless the User contacts the consumer in person or using the contact information provided with the report to confirm that the application for a new credit plan or increase in credit limit is not the result of identity theft.

(7)

C. ACTIVE DUTY ALERTS

Overview - What the Law Says

Active Duty Alerts: Upon the request of an active duty military consumer a credit

repository (national consumer reporting agency) that maintains a file on the consumer shall include an active duty alert in the consumer’s file, and shall for the next 12 months provide that alert along with any credit report or credit score generated using that file. If the consumer provides their contact information the credit repository must provide this information along with the active duty alert to any credit report users.

Summarizing, as of December 1, 2004, credit repositories must maintain an additional status of:

 Active Duty to consumer credit files  Includes 12 month active duty alert

 Additional Contact information (consumer contact information)

Mortgage reporting companies that receive the active duty alerts from credit repositories must re-convey these alerts and any consumer contact information that was provided to users of their mortgage reports.

XML Implementation

The active duty alerts are passed in the same place as the fraud alerts. However, an active duty alert by itself does not signify fraud or potential fraud.

All the text messages will begin with: FACTA: Active Duty –, to make identification of the message type easier.

NOTE: This particular ALERT MESSAGE element also contains additional _Text elements that may be used for reporting the consumer contact information.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”N”>

<_Text>FACTA: Active Duty - Consumer is a member of the military on active duty. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</_Text>

<_Text>Consumer Name: Joe Consumer</Text>

<_Text>Consumer Address: 234 15th ST, Atlanta, GA</Text> <_Text>Consumer Phone: 555-4444</Text>

(8)

For MISMO 2.3.1, the FACTA Active Duty alert is reported as a Credit File Alert Message with a CategoryType=“FACTAActiveDuty” attribute.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”N” _CategoryType=”FACTAActiveDuty” >

<_Text>FACTA: Active Duty - Consumer is a member of the military on active duty. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</_Text>

MISMO Version 1.x

<Message>FACTA: Active Duty - Consumer is a member of the military on active duty. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</Message>

Here is an X12 200 example of a VAR-NTE (2/710) ACTIVE DUTY ALERT Message Segment. NTE-01 is set to CRA – Credit Report Alert. Text Length of NTE-02 cannot exceed 80 characters:

NTE~CRA~FACTA: Active Duty - Consumer is a member of the military on active duty.

What Users Must Do

Users of mortgage credit reports must program to receive and appropriately handle active duty alerts that the credit repositories will provide. Users must program to receive and appropriately handle consumer contact information that is also reported.

Take note of User Requirements for Alerts and Consumer Contact Information Active Duty Alerts: No User of a consumer report or a mortgage credit report that

includes an Active Duty Alert may establish a new credit plan or extension of credit, other than an open-end credit plan, in the name of the consumer, or grant any increase in credit limit on existing account requested by a consumer, unless the User forms a reasonable belief that they know the identity of the person making the request.

If the consumer has provided a telephone number or other contact information, before authorizing any new credit plan or extension of credit described above, the User shall contact the consumer using that telephone number or take reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan is not the result of identity theft.

(9)

D. ADDRESS DISCREPANCY INDICATOR

OVERVIEW – What the Law Says

If a person has requested a consumer report relating to a consumer from a credit repository (national consumer reporting agency), and the request includes an address for the consumer that substantially differs from the addresses in the credit file of the consumer, and the agency provides a consumer report in response to the request, the consumer reporting agency shall notify the requester of the existence of the address discrepancy.

XML Implementation

The credit repositories will send their own alert code when differences are found

between the address submitted in the inquiry and the address in the repository bureau’s credit file

All the text messages will begin with: FACTA: Address Discrepancy –, to make identification of the message type easier.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”Y”>

<_Text>FACTA: Address Discrepancy –Substantial difference between the address submitted in the credit request and the address(es) in the credit file. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT. </_Text>

MISMO Version 2.3.1

For MISMO 2.3.1, the FACTA Active Duty alert is reported as a Credit File Alert Message with a CategoryType=“FACTAAddressDiscrepancy” attribute.

<CREDIT_FILE CreditFileID="B-EFX-01" BorrowerID="BOR01" CreditRepositorySourceType="Equifax"> <_ALERT_MESSAGE _Code=”Y” _CategoryType=”FACTAAddressDiscrepancy”>

<_Text>FACTA: Address Discrepancy –Substantial difference between the address submitted in the credit request and the address(es) in the credit file. VERIFY IDENTIFY OF CONSUMER BEFORE GRANTING CREDIT.</_Text>

MISMO Version 1.X

Due to the structure of the 1.X transmission, only the text will be sent, in the Message element of the CREDITFILEALERTMESSAGE container. For example:

(10)

Here is an X12 200 example of a VAR-NTE (2/710) ADDRESS DISCREPANCY ALERT Message Segment. NTE-01 is set to CRA – Credit Report Alert. Text Length of NTE-02 cannot exceed 80 characters:

NTE~CRA~ FACTA: Address Discrepancy – VERIFY IDENTIFY OF CONSUMER.

What Users Must Do

Users of mortgage credit reports must program to receive and appropriately handle FACTA Address Discrepancy Indicators that the credit repositories will provide.

Take note of User Requirements for Address Discrepancy Indicators

Users who receive an Address Discrepancy Indicator code indicating that an address difference occurred must follow the policies and procedures prescribed by federal agencies:

1. To form a reasonable belief that the User knows the identity of the person to whom the consumer report pertains; and

2. If the User establishes a continuing relationship with the consumer, and the User regularly and in the ordinary course of business furnishes information to one of the credit repositories, to reconcile the address of the consumer with the credit repositories by furnishing such address to the credit repositories as part of information regularly furnished by the User for the period in which the relationship is established.

(11)

III. Version 2.3.1 DTD Changes for FACT Act

In the previous section, several examples were presented showing possible

implementations of the FACT Act Alerts using additional attributes or data values that could be added in a Version 2.3.1 release. This section lists all of the additional attributes and data values that are being considered for the CREDIT SCORE and CREDIT FILE / ALERT MESSAGE elements.

A. CREDIT SCORE Element Enhancements

One of the FACT Act provisions requires that mortgage lenders notify consumers if their risk score value was negatively affected by the presence of inquiries on the credit report, if it was not already reported as one of the four risk score factors. To make automated identification of these risk scores easier, a new attribute is being added to the CREDIT_SCORE element of the Version 2.3.1 Credit Response.

 FACTAInquiriesIndicator – This Boolean (Y/N) attribute describes the type of alert message related to the credit score value. There are two enumerated values:

 “Y” – Inquiries have affected the credit score value

and consumer notification may be required in compliance with the FACT Act.

 “N” – The credit score value was not affected by

inquiries.

B. CREDIT FILE ALERT MESSAGE Element Enhancements

The FACT Act provisions may require compliance by users of the credit report data if any of several types of alert messages are present in the credit file. To make

automated identification of these alert messages easier, there are two new attributes being proposed for addition to the CREDIT_FILE / _ALERT_MESSAGE element of the Version 2.3.1 Credit Response.

 _CategoryType – The existing _Type attribute lists specific repository bureau

alert product names. For Version 2.3.1 a more generic “Category Type” attribute is proposed to allow easier automated reaction to specific alert message categories by software reading the credit response data. The proposed Category Type attribute values are shown below, and FACT ACT related values are highlighted.

o “FACTAActiveDuty” – The alert message indicates that the borrower is on active military duty. There may be FACT Act compliance requirements related to this status.

(12)

o “FACTAFraudVictimExtended” – The alert message is a Fraud Victim “extended” alert. There may be FACT Act compliance requirements

related to this status. “Extended” alerts are maintained by the credit repositories for seven years.

o “FACTAFraudVictimInitial” – The alert message is a Fraud Victim “initial” alert. There may be FACT Act compliance requirements related to this status. “Initial” alerts are maintained by the credit repositories for 90 days.

o “FACTARiskScoreValue” – The alert message indicates that the Risk Score Value was negatively affected by the presence of inquiries on the credit report. There may be FACT Act compliance requirements related to this status.

o “CreditFileSuppressed” – The file exists, but suppressed due to borrower’s request, or borrower is a minor, or credit freeze in compliance with any state law.

o “DeathClaim” – Death benefits have been filed through SSN or other source, or death certificate is on file.

o “DemographicsVerification” – Message related to potentially fraudulent, missing or erroneous request data – borrower name, address, etc. (i.e. Equifax SAFESCAN, Experian FACS Plus, Trans Union HAWK Alert, etc.)

o “FraudVictim” – The alert message indicates that the borrower had been a victim of credit fraud or identity theft. This message may indicate

compliance requirements in some states. o “Other” – The credit score value has been

affected by some other value that will be listed in the _CategoryTypeOtherDescription attribute. o “SSNVerification” – The message provides

additional information related to the issue date, state of issue and other data related to the borrower’s Social Security Number.

 _CategoryTypeOtherDescription – When the _CategoryType attribute value