Read Regs

Title 12 · Federal Reserve, OCC, FDIC

Fair Credit Reporting

12 C.F.R. Part 717 · Updated January 1, 2026

View on eCFR ↗

§ 717.80-717.81 — 717.80-717.81 [Reserved]

§ 717.82 — Duties of users regarding address discrepancies.

(a) Scope. This section applies to a user of consumer reports (user) that receives a notice of address discrepancy from a consumer reporting agency described in 15 U.S.C. 1681a(p), and that is a federal credit union.

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user by a consumer reporting agency described in 15 U.S.C. 1681a(p) pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.

(c) Reasonable belief—(1) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.

(2) Examples of reasonable policies and procedures. (i) Comparing the information in the consumer report provided by the consumer reporting agency with information the user:

(A) Obtains and uses to verify the consumer’s identity in accordance with the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 1020.220);

(B) Maintains in its own records, such as applications, change of address notifications, other member account records, or retained CIP documentation; or

(C) Obtains from third-party sources; or

(ii) Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.

(d) Consumer’s address—(1) Requirement to furnish consumer’s address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681a(p) from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;

(ii) Establishes a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.

(2) Examples of confirmation methods. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the consumer about whom it has requested the report;

(ii) Reviewing its own records to verify the address of the consumer;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer’s address that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681a(p) as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

§ 717.83 — Disposal of consumer information.

(a) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in a manner consistent with the Guidelines for Safeguarding Member Information, in appendix A to part 748 of this chapter.

(b) Examples. Appropriate measures to properly dispose of consumer information include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with this section.

(1) Burning, pulverizing, or shredding papers containing consumer information so that the information cannot practicably be read or reconstructed.

(2) Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

(c) Rule of construction. This section does not:

(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or

(2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

(d) Definitions. As used in this section:

(1) Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.

(i) Consumer information includes:

(A) A consumer report that you obtain;

(B) Information from a consumer report that you obtain from your affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;

(C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;

(D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or

(E) Information from a consumer report that you obtain about an employee or prospective employee.

(ii) Consumer information does not include:

(A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or

(B) Blind data, such as payment history on accounts that are not personally identifiable, you use for developing credit scoring models or for other purposes.

(2) Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports.

§ 717.90 — Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Scope. This section applies to a financial institution or creditor that is a federal credit union.

(b) Definitions. For purposes of this section and appendix J, the following definitions apply:

(1) Account means a continuing relationship established by a person with a federal credit union to obtain a product or service for personal, family, household or business purposes. Account includes:

(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and

(ii) A share or deposit account.

(2) The term board of directors refers to a federal credit union’s board of directors.

(3) Covered account means:

(i) An account that a federal credit union offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; and

(ii) Any other account that the federal credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.

(4) Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).

(5) Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5).

(6) Customer means a member that has a covered account with a federal credit union.

(7) Financial institution has the same meaning as in 15 U.S.C. 1681a(t).

(8) Identity theft has the same meaning as in 16 CFR 603.2(a).

(9) Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

(10) Service provider means a person that provides a service directly to the federal credit union.

(c) Periodic Identification of Covered Accounts. Each federal credit union must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a federal credit union must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:

(1) The methods it provides to open its accounts;

(2) The methods it provides to access its accounts; and

(3) Its previous experiences with identity theft.

(d) Establishment of an Identity Theft Prevention Program—(1) Program requirement. Each federal credit union that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the federal credit union and the nature and scope of its activities.

(2) Elements of the Program. The Program must include reasonable policies and procedures to:

(i) Identify relevant Red Flags for the covered accounts that the federal credit union offers or maintains, and incorporate those Red Flags into its Program;

(ii) Detect Red Flags that have been incorporated into the Program of the federal credit union;

(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to members and to the safety and soundness of the federal credit union from identity theft.

(e) Administration of the Program. Each federal credit union that is required to implement a Program must provide for the continued administration of the Program and must:

(1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;

(2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;

(3) Train staff, as necessary, to effectively implement the Program; and

(4) Exercise appropriate and effective oversight of service provider arrangements.

(f) Guidelines. Each federal credit union that is required to implement a Program must consider the guidelines in appendix J of this part and include in its Program those guidelines that are appropriate.

§ 717.91 — Duties of card issuers regarding changes of address.

(a) Scope. This section applies to an issuer of a debit or credit card (card issuer) that is a federal credit union.

(b) Definitions. For purposes of this section:

(1) Cardholder means a member who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) Address validation requirements. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a member’s debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1)(i) Notifies the cardholder of the request:

(A) At the cardholder’s former address; or

(B) By any other means of communication that the card issuer and the cardholder have previously agreed to use; and

(ii) Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or

(2) Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 717.90 of this part.

(d) Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.

(e) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.