Terms and Conditions

THIS END-USER AGREEMENT (“Agreement”) is made and entered into by and between Western Reporting (“Company”), and You (“End-User”). This Agreement shall be effective on the date of the last signature below (the “Effective Date”).

1. General

End-User represents that it is a legal entity in good standing in its state of formation as well as all jurisdictions in which it conducts business, with a legitimate permissible purpose for requesting the services and information products offered by Company.
Pursuant to the terms of this Agreement, Company strives to deliver accurate and timely information products (“consumer reports” and/or “investigative consumer reports” (collectively “consumer reports”) to assist End-User in making intelligent and informed decisions for a permissible purpose under applicable law. To this end, Company assembles information from a variety of sources, including databases maintained by consumer reporting agencies containing information from public records, other information repositories and third-party researchers. End-User understands that these information sources and resources are not maintained by Company. Therefore, Company cannot be a guarantor that the information provided from these sources is absolutely accurate or current. Nevertheless, Company has in place reasonable procedures designed to respond promptly to claims of incorrect or inaccurate information in accordance with applicable law.

2. End-User’s Certification of Fair Credit Reporting Act (FCRA) Permissible Purpose(s)

End-User hereby certifies that, each time a consumer report is requested, all of its orders for from Company shall be made, and the resulting consumer reports shall be used, for the following Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”) permissible purposes only: tenant screening.

3. End-User’s Certification of Legal Compliance

(i) End-User certifies to Company that the consumer reports it receives will not be used in violation of any applicable federal, state, or local laws, including, but not limited to the FCRA. End-User accepts full responsibility for complying with all such laws and for using the consumer reports it receives from Company in a legally acceptable fashion. To that end, End-User agrees to comply with and provide all statutorily required notices in Section 615 of the FCRA or other state laws when using consumer reports. End-User further accepts full responsibility for any and all consequences of use and/or dissemination of those consumer reports. End-User further agrees that each consumer report will only be used for a one-time use.

(ii) End-User agrees to have reasonable procedures for the fair and equitable use of consumer reports and to secure the confidentiality of private information. End-User agrees to take precautionary measures to protect the security and dissemination of all consumer report or investigative consumer report information including, for example, restricting terminal access, utilizing passwords to restrict access to terminal devices, and securing access to, dissemination and destruction of electronic and hard copy reports. End-User agrees to abide by Addendum A attached hereto which is incorporated into and is part of this Agreement.

(iii) As a condition of entering into this Agreement, End-User certifies that it will comply with all applicable local, state and federal laws, including but not limited to the FCRA and state law equivalents. Company will only keep information it provides to End-User for the lesser of two (2) years or as required by applicable law. End-User certifies that it will retain information it receives from Company in accordance with applicable law and will make such information available to Company upon request. In addition, End-User agrees to abide by all state and local “fair housing” laws. End-Users seeking credit information certify to Company that it has provided all disclosures required by applicable federal, state, or local laws, regulations and ordinances to the consumer in connection with such requests and must provide information described in and sign Addendum B before Company can provide credit information to End-User. Addendum B is incorporated into and is part of this Agreement, if applicable. End-User acknowledges and agrees to notify its employees that End-User can access credit information only for the permissible purposes listed in the FCRA.

(iv) End-User understands that the credit bureaus require specific written approval from Company before the following persons, entities and/or businesses may obtain credit reports: private detectives, private detective agencies, private investigative companies, bail bondsmen, attorneys, law firms, credit counseling firms, security services, members of the media, resellers, financial counseling firms, credit repair clinics, pawn shops (except companies that do only Title pawn), check cashing companies (except companies that do only loans, no check cashing), genealogical or heir research firms, dating services, massage or tattoo services, businesses that operate out of an apartment, individuals seeking information for their own private use, adult entertainment services of any kind, companies that locate missing children, companies that handle third party repossession, companies seeking information in connection with time shares, subscriptions companies, individuals involved in spiritual counseling or persons or entities that are not an End-User or decision maker.

(v) End-User represents that, if it orders credit reports, End-User will have a policy and procedures in place to investigate any discrepancy in a consumer’s address when notified by the credit bureau that the consumer’s address, as submitted by End-User, substantially varies from the address the credit bureau has on file for that consumer.

(vi) End-User understands and agrees that access to certain types of information (e.g., credit, motor vehicle records, I-9 verification, etc.) may require End-User to execute a separate contract, agreement, or addendum (as applicable) with Company or with Company’s vendors or service providers. End-User understands that Company will not provide to End-User or allow End-User access to such information unless and until it executes the relevant contract(s), agreement(s) or addenda (as applicable).

(vii) End-User hereby acknowledges that it has received a copy of the “A Summary of Your Rights Under the Fair Credit Reporting Act” (Appendix A) and “Notice of Users of Consumer Reports” (Appendix B).

(viii) End-User hereby certifies that, under the Investigative Consumer Reporting Agencies Act (“ICRAA”), California Civil Code sections 1786 et seq., and the Consumer Credit Reporting Agencies Act (“CCRAA”), California Civil Code sections 1785.1 et seq., if the End-User is located in the State of California and/or the End-User’s request for and/or use of investigative consumer reports and/or consumer credit reports pertains to a California resident or applicant, End-User will do the following:

A. Request and use investigative consumer reports and/or consumer credit reports solely for permissible purpose(s) identified under California Civil Code sections 1785.11 and 1786.12.

B. Notify the consumer in writing that an investigative consumer report and/or consumer credit report will be made regarding the consumer’s character, general reputation, and personal characteristics. The notification shall include the name and address of the consumer reporting agency as well as a summary of the provisions of California Civil Code section 1786.22, no later than three days after the date on which the report was first requested.

C. Provide the consumer a means by which he/she may indicate on a written form, by means of a box to check, that the consumer wishes to receive a copy of any investigative consumer reports and/or consumer credit reports that are prepared.

D. If the consumer wishes to receive a copy of the investigative consumer reports and/or consumer credit reports, the End-User shall send (or contract with another entity to send) a copy of the report to the consumer within three business days of the date that the report is provided to End-User. The copy of the report shall contain the name, address, and telephone number of the person who issued the report and how to contact him/her.

E. Under all applicable circumstances, comply with California Civil Code sections 1785.20 and 1786.40 if the taking of adverse action is a consideration, which shall include, but may not be limited to, advising the consumer against whom an adverse action has been taken that the adverse action was based in whole or in part upon information contained in the investigative consumer report and/or consumer credit report, informing the consumer in writing of Company’s name, address, and telephone number, and provide the consumer of a written notice of his/her rights under the ICRAA and the CCRAA.

F. Comply with all other requirements under applicable California law, including, but, not limited to any statutes, regulations and rules governing the procurement, use and/or disclosure of any investigative consumer reports and consumer credit reports, including, but not limited to, the ICRAA and CCRAA.

4. Reporting of Criminal History

(i) As it relates to criminal history information, Company only reports conviction records and will report a minimum of seven (7) years of conviction information, where allowed by any applicable fair credit reporting laws. Unless otherwise directed by End-User, when Company performs a national criminal search that identifies a criminal record, Company will then perform a state or county search to identify and report additional detail regarding the record(s). However, IF END USER INSTRUCTS COMPANY NOT TO APPLY ADDITIONAL STATE AND COUNTY LEVEL REPORTING in the event of a report of a criminal record report, End-User assumes full responsibility for determining whether reported information may be used in the jurisdiction where the consumer lives or is applying for tenancy, as well as any resulting liability towards a consumer or third party for End-User’s failure to do so. Furthermore, End-User’s failure to order additional state and county level reports in the event of a national criminal record search result, End-User will specifically be required to indemnify Company pursuant to Section 13(iii) below.

(ii) Company does not report non-conviction information unless a case is pending with a next court date scheduled and also does not report information relating to infractions, summary offenses, violations, or other sub-criminal information.

(iii) Company complies with all FCRA and state and local laws that restrict the reportability of certain types of adverse information about a consumer. To ensure compliance with such laws, End-User acknowledges and agrees that when including any information about a consumer in a consumer report, Company follows the most restrictive reporting restrictions based on the consumer’s residence address.

5. Permissible Purpose of Tenant Screening

End-User certifies that it will obtain written authorization from the consumer tenant or resident applicant prior to the procurement of the any consumer report or investigative consumer report by the End-User and it will only use the report requested for tenant screening.
If the consumer’s tenant application is denied, or other adverse action is taken based in whole or in part on the information products provided by Company End-User will provide to the consumer: a description, in writing, of the rights of the consumer entitled: “A Summary of Your Rights Under the Fair Credit Reporting Act, the right to obtain a copy of his/her consumer report and provide the tenant or resident applicant a reasonable opportunity of time to correct any erroneous information contained in the report. End-User certifies that any adverse action notice will comply with the FCRA including but not limited to satisfying all requirements under the FCRA if credit history is a disqualifying factor. If using a credit score, End-User certifies that it will comply with the Dodd-Frank Act and all applicable regulations relating to using a credit score.

6. International Criminal Record Searches

End-User understands that searches of international background screening will be conducted through the services of a third-party independent contractor. Because of differences in foreign laws, language, and the manner in which foreign records are maintained and reported, Company cannot be either an insurer or guarantor of the accuracy of the information reported. End-User therefore releases Company and its affiliated companies, officers, agents, employees, and independent contractors from any liability whatsoever in connection with erroneous information received as a result of an international background screening report.

7. National/Multi-State Database Searches

Company recommends that End-User screen its applicants or employees at the county court-house or online system, federal, and multi-state/nationwide database levels, which may result in additional costs associated with the verification. End-User understands that if it chooses not to conduct searches at these levels, Company cannot be held responsible for any records that exist that are not included in the End-User’s coverage requested.

8. Warrants

In the course of completing background checks, Company may uncover active arrest warrants which are outstanding against the subject. In these cases, Company may be contacted by the law enforcement agency seeking the subject. End-User understands that Company will furnish to law enforcement any information contained within the subject’s file to assist in the apprehension of the subject. Additionally, Company may contact End-User, and End-User agrees to release to Company, any and all information End-User may have which will further the apprehension of the wanted individual.

9. General Provisions

End-User agrees not to resell, sub-license, deliver, display, or otherwise distribute to any third party any of the information products addressed herein, except as required by law. End-User may not assign or transfer this Agreement without the prior written consent of Company. In addition, End-User shall immediately notify Company of any of the following events: change in ownership of End-User (over 50%), a merger, change in name or change in the nature of End-User’s business. The parties understand that this Agreement is for the sole benefit of Company and End-User and no third party shall be deemed a third-party beneficiary of this Agreement. If any of the provisions of this Agreement become invalid, illegal, or unenforceable in any respect, the validity, legality, and enforceability of the remaining provisions shall not in any way be impacted. By agreement of the parties, Texas law shall guide the interpretation of this Agreement, if such interpretation is required. All litigation arising out of this Agreement shall be commenced in Dallas County, and the parties hereby consent to such jurisdiction and venue. Any written notice by either party shall be delivered personally by messenger, private mail courier service, or sent by registered or certified mail, return receipt requested, postage prepaid to the addresses listed below, or may be delivered electronically to the e-mail addresses listed below. This Agreement shall be construed as if it were jointly prepared. Both parties agree that this Agreement constitutes all conditions of service, present and future. Changes to these conditions may be made only by mutual written consent of an authorized representative of End-User and an officer of Company. The headings of each section shall have no effect upon the construction or interpretation of any part of this Agreement.
If End-User is permitted to request consumer reports via Company’s website, then, in addition to all other obligations, End-User agrees to abide by such additional conditions that may be imposed to utilize the website, provide all required certifications electronically, to maintain complete and accurate files containing all required consent, authorization and disclosure forms with regard to each consumer for whom a report has been requested, and maintain strict security procedures and controls to assure that its personnel are not able to use End-User’s Internet access to obtain reports for improper, illegal or unauthorized purposes. End-User agrees to obtain the consumer’s electronic consent to receive any legal or other notices electronically. End-User agrees to allow Company to audit its records or use of Company’s services or ordering systems, including verification that End-User has a permissible purpose to request and obtain consumer and/or investigative consumer reports, at any time, upon reasonable notice given. Breaches of this Agreement and/or violations of applicable law discovered by Company may result in immediate suspension and/or termination of the account, legal action and/or referral to federal or state regulatory agencies.

10. Confidentiality

Neither party shall reveal, publish, or otherwise disclose any Confidential Information to any third party without the prior written consent of the other party. “Confidential Information” means any and all Proprietary Intellectual Property (defined below) or secret data; sales or pricing information relating to either party, its operations, employees, products, or services; and, all information relating to any customer, potential customer, Agent, and/or independent sales outlet. The Parties agree to keep this information confidential at all times during the term of this Agreement and continuing for five years after receipt of any Confidential Information. Notwithstanding anything to the contrary herein, in no event shall Company be required to destroy, erase or return any consumer reports or applicant data related thereto in Company’s files, all of which Company shall maintain as a consumer reporting agency in strict accordance with all applicable federal, state, and local laws.
In connection with services provided hereunder, End-User may have access to Confidential Information relating to Company’s intellectual property, including but not necessarily limited to trade secrets, service marks, trademarks, trade names, logos, symbols, brand names, software, technology, inventions, processes (that are subject to a patent or otherwise pending) collectively “Proprietary Intellectual Property.” End-User acknowledges and agrees that Company is the sole exclusive owner of all right, title and interest in such Proprietary Intellectual Property and it shall not disclose to any third party the nature or details of any such Proprietary Intellectual Property. End-User further agrees that it has no right to publish, reproduce, prepare derivative works based upon, distribute, perform, or otherwise display any of Company’s Proprietary Intellectual Property.

11. Independent Contractor

The parties agree that the relationship of the parties created by this Agreement is that of independent contractor and not that of employer/employee, principal/agent, partnership, joint venture, or representative of the other. Except as authorized hereunder, neither party shall represent to third parties that it is the employer, employee, principal, agent, joint venture, or partner with, or representative of the other party.

12. Fees and Payment

End-User agrees to pay nonrefundable fees and other charges or costs for Company background check services. Any charges or costs, including but not limited to surcharges and other fees levied by federal, state, county, other governmental agencies, educational institutions, employer verification lines and licensing agencies, incurred by Company in servicing End-User, will be passed onto End-User. At Company’s option, payments not received thirty (30) days after the date of the invoice may cause the account to be placed on temporary interruption, with no additional requests being processed until the balance due is paid in full or arrangements have been made with Company’s Accounts Payable Department. Accounts with invoices unpaid thirty (30) days or more will be assessed an interest charge of 1.5 % per month, as allowed by applicable law. In addition, Company charges a 3% fee for collecting payments via credit card. Any concerns regarding invoices or line items must be brought to the attention of Company’s billing department within 15 days of the date of such invoice. A $25 fee will be charged on all returned checks and non-sufficient funds.
If the account goes to collection, End-User agrees to pay all collection expenses, including attorneys’ fees and court costs. End-User agrees that prices for services are subject to change without notice, although Company will make every reasonable effort to give notice of such change before it becomes effective. Any account that remains inactive for a period of twelve (12) months will be deemed inactive and may be terminated by Company.

13. Warranties, Remedies, and Limitation of Liability

(i) End-User understands that Company obtains the information reported in its information products from various third-party sources “AS IS”, and therefore is providing the information to End-User “AS IS”. Company makes no representation or warranty whatsoever, express or implied, including but not limited to, implied warranties of merchantability or fitness for particular purpose, or implied warranties arising from the course of dealing or a course of performance with respect to the accuracy, validity, or completeness of any information products and/or consumer reports, that the information products will meet End-User’s needs, or will be provided on an uninterrupted basis; Company expressly disclaims any and all such representations and warranties.

(ii) COMPANY WILL NOT BE LIABLE TO END-USER FOR DAMAGES, AND END-USER HEREBY RELEASES COMPANY FROM ANY LIABILITY FOR DAMAGES ARISING UNDER ANY THEORY OF LEGAL LIABILITY TO THE FULLEST EXTENT THAT END-USER MAY LEGALLY AGREE TO RELEASE COMPANY FROM LIABILITY FOR SUCH DAMAGES. NONETHELESS, IN THE EVENT COMPANY IS DETERMINED BY A COURT OF COMPETENT JURISDICTION TO BE LIABLE TO END-USER FOR ANY MATTER ARISING UNDER OR RELATING TO THIS AGREEMENT, WHETHER ARISING IN CONTRACT, EQUITY, TORT OR OTHERWISE (INCLUDING WITHOUT LIMITATION ANY CLAIM FOR NEGLIGENCE), THE AMOUNT OF DAMAGES RECOVERABLE AGAINST COMPANY FOR ALL SUCH MATTERS WILL NOT EXCEED, IN THE AGGREGATE, THE AMOUNT PAID TO COMPANY BY END-USER FOR THE SERVICE TO WHICH A GIVEN CLAIM RELATES PROVIDED PURSUANT TO THIS AGREEMENT AND RECOVERY OF THE AMOUNT IS END-USER’S SOLE AND EXCLUSIVE REMEDY HEREUNDER. IN THE EVENT COMPANY IS LIABLE TO END-USER FOR ANY MATTER RELATING TO THIS AGREEMENT, WHETHER ARISING IN CONTRACT, EQUITY OR TORT (INCLUDING WITHOUT LIMITATION ANY CLAIM FOR NEGLIGENCE), AND IN ADDITION TO ANY OTHER LIMITATION OF LIABILITY OR REMEDY SET FORTH IN THIS AGREEMENT, THE AMOUNT OF DAMAGES RECOVERABLE AGAINST COMPANY WILL NOT INCLUDE ANY AMOUNTS FOR INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, LOST INCOME, OR LOST SAVINGS, OR FOR ANY AMOUNTS WITH RESPECT TO CLAIMS AGAINST COMPANY, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY FOR SUCH DAMAGES.

(iii) End-User shall indemnify, defend and hold harmless Company, its successors and assigns, officers, directors, employees, agents, vendors, credit bureaus and suppliers from and against any and all claims, suits, proceedings, actual damages, costs, expenses (including, without limitation, reasonable attorneys’ fees and court costs) (“Losses”) brought or suffered by any third party arising or resulting from, or otherwise in connection with information products provided by Company, the content, compliance, method of delivery or effectiveness of any notices, pre-adverse or adverse action letters, any breach by End-User of any of its representations, warranties, or agreements in this Agreement or its negligence or willful misconduct. Company shall have no responsibility for consequences of the actions of End-User upon the information which Company provides End-User, and End-User will indemnify and hold Company harmless from any loss, liability, damage, judgment, attorney’s fees, costs or penalties which may result from the use by End-User of the information provided by Company.

(iv) Company does not guarantee End-User’s compliance with all applicable laws in its use of reported information and does not provide legal or other compliance related services upon which End-User may rely in connection with its furnishing of reports. End-User understands that any documents, information, conversations, or communication with Company’s representatives regarding searches, verifications or other services offered by Company are not to be considered a legal opinion regarding such use. End-User agrees that (1) it will consult with its own legal or other counsel regarding the use of background screening information, including but not limited to, the legality of using or relying on reported information and to review any forms as well as the content of prescribed notices, adverse or pre-adverse action letters and any attachments to this Agreement for compliance with all applicable laws and regulations and (2) the provision of such notices, pre-adverse or adverse action letters and the contents thereof is the sole responsibility of End-User not Company. End-User acknowledges and agrees that it has no obligation to use and is solely responsible for independently vetting the contents of any sample forms that Company has provided to End-User in connection with this Agreement.

(v) If requested, Company may apply a client’s scoring or rental criteria to consumer reports based on criteria established and provided by End-User (“Criteria”). Company makes no representations regarding the validity, legality, or appropriateness of the Criteria. These services as well as any administration of notices shall be deemed to be purely clerical in nature and shall be performed by Company on behalf of End-User. All tenant-related decisions are made exclusively by End-User, not by Company. End-User agrees that End-User assumes full responsibility for such decisions and agrees to indemnify and hold Company harmless from any and all claims, losses, damages, and any costs (including attorneys’ fees) that may be related to or arise therefrom.

14. Arbitration

Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitrator shall not be authorized to award either party extra contractual damages, i.e., compensatory, or punitive damages. In the event of a breach of this Agreement, damages shall be limited to an award as may be determined by the Arbitrator. The site of the arbitration shall be Dallas, Texas.

15. Term and Termination

The term of this Agreement shall begin on the date it is executed by End-User and shall be in effect for one (1) year beginning on the first day of the assigned date below and renewed automatically for one (1) year each year on its anniversary date if no written notice is received by either party within thirty (30) days prior to end of term.
Except as otherwise provided for herein, either party may cancel this Agreement by giving thirty (30) days written notice to the other party. If End-User desires to terminate this Agreement, End-User agrees that it will pay Company for all services that have been provided prior to the effective date of termination. Company may terminate or revise the provisions of this Agreement immediately upon written notice if End-User is the debtor in a bankruptcy action or in an assignment for the benefit of creditors or if End-User undergoes a change in ownership. Termination of this Agreement by either party does not release End-User from its obligation to pay for services rendered or other responsibilities and agreements made.
In addition to any and all other rights a party may have available according to law, if a party defaults by failing to perform any provision, term, or condition of this Agreement the other party may terminate the Agreement by providing written notice to the defaulting party. This notice shall describe with sufficient detail the nature of the default. The party receiving such notice shall have fifteen (15) days from the receipt of such notice to cure the default(s). Unless waived by party providing notice, the failure to cure the default(s) within such time period shall result in the automatic termination of this Agreement.
During the term of this Agreement, Company will be the exclusive provider to the End-User except for services not provided herein.

16. Force Majeure

End-User agrees that Company is not responsible for any events or circumstances beyond its control (e.g., including but not limited to war, riots, embargoes, strikes and/or Acts of God) that prevent Company from meeting its obligations under this Agreement.

17. Waiver

The failure of either party to insist in any one or more cases upon the strict performance of any term, covenant or condition of this Agreement will not be construed as a waiver or subsequent breach of the same or any other covenant, term or condition; nor shall any delay or omission by either party to seek a remedy for any breach of this Agreement be deemed a waiver by either party of its remedies or rights with respect to such a breach.

18. Severability

If any provision of this Agreement, or the application thereof to any person or circumstance, shall be held invalid or unenforceable under any applicable law, such invalidity or unenforceability shall not affect any other provision of this Agreement that can be given effect without the invalid or unenforceable provision, or the application of such provision to other persons or circumstances, and, to this end, the provisions hereof are severable.

19. Execution

This Agreement and all attachments and exhibit hereto, constitute the entire agreement of the parties and shall supersede any prior agreements governing the subject matter contained herein.

ADDENDUM A

Access Security Requirements

The parties acknowledge they must work together to protect the privacy of consumers. The following measures are designed to reduce unauthorized access of consumer reports. In accessing consumer information, End-User agrees to the following:

1. End-User will take reasonable procedures to protect its account number and password so that only key personnel employed by your company know this sensitive information, including not posting this information anywhere in the facility. End-User agrees to request an account password change immediately if a person who knows the password leaves its company or no longer needs to have access due to a change in duties.
2. End-User agrees that system access software, whether developed by your company or purchased from a third-party vendor, will have End-User’s account number and password “hidden” or embedded and be known only by supervisory personnel. End-User will assign each user of its system access software a unique logon password. If such system access software is replaced by different access software and therefore no longer is in use or, alternatively, the hardware upon which such system access software resides is no longer being used or is being disposed of, or if the password has been compromised or believed to be compromised in any way, End-User will change its password immediately.
3. End-User agrees it will not discuss its account number or password by telephone with any unknown caller, even if the caller claims to be an employee of Company
4. End-User will restrict the ability to obtain consumer information to a few key personnel.
5. End-User agrees to place all terminal devices used to obtain consumer information in a secure location within its facility so that unauthorized persons cannot easily access them.
6. End-User agrees it will turn off and lock all devices or systems used to obtain consumer information.
7. End-User will secure hard copies and electronic files of consumer reports within its facility so that unauthorized persons cannot easily access them.
8. End-User agrees to shred and/or destroy all hard copy consumer reports when they are no longer needed and erase and overwrite or scramble electronic files containing consumer information when no longer needed and when applicable regulation(s) permit destruction.
9. End-User agrees to notify its employees that End-User can access credit information only for the permissible purposes listed in the Fair Credit Reporting Act.

ADDENDUM B

Documents Required Before Requesting Credit Report Information

Before End-User will be allowed to access credit report information, Company requires that End-User provide one (1) of the following items listed below (if End-User is not publicly traded) and also receive an onsite inspection to verify company information and physically review End-User’s onsite location. Certain criteria must be met at the onsite inspection per requirements of the credit bureau. The cost for the onsite inspection will be the responsibility of the End-User and End-User will receive from Company an invoice for any related costs and expenses.

1. Business license status from a government web site (please include entire web page print out);
2. Business license, copy or documented verification;
3. Documented corporation verification with state or federal government;
4. Copy of Articles of Incorporation with proof of filing;
5. State and/or federal tax records originating from the state or federal government;
6. FDIC Certification; or
7. 501(c)(3) certificate for non-profit originations.

If End-User is a publicly traded company, the following items are acceptable methods for verifying that the End-User is a bona fide entity:

1. Documentation of ticker symbol information from trading website;
2. Certified copy of audited annual or quarterly statements submitted to the SEC.

ADDENDUM C

Qualified Subscriber Terms and Conditions

Equifax Information Services LLC (“Equifax“)

Equifax Information Services (as defined below) will be received by Qualified Subscriber through CRA subject to the following conditions (the “Terms and Conditions”):

1. Any information services and data originating from Equifax (the “Equifax Information Services” or “Equifax Information”) will be requested only for Subscriber’s exclusive use and held in strict confidence except to the extent that disclosure to others is required or permitted under the last sentence of this Paragraph. Only designated representatives of Qualified Subscriber will request Equifax Information Services on Qualified Subscriber’s employees, and employees are forbidden to obtain consumer reports on themselves, associates, or any other persons except in the exercise of their official duties. Qualified Subscriber will not disclose Equifax Information to the subject of the report except as permitted or required by law but will refer the subject to Equifax.
2. Qualified Subscriber will hold Equifax and all its agents harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of Equifax Information by Qualified Subscriber, its employees, or agents contrary to the conditions of Paragraph 1 or applicable law.
3. Recognizing that information for the Equifax Information Services is secured by and through fallible human sources and that, for the fee charged, Equifax cannot be an insurer of the accuracy of the Equifax Information Services, Qualified Subscriber understands that the accuracy of any Equifax Information Service received by Qualified Subscriber is not guaranteed by Equifax, and Qualified Subscriber releases Equifax and its affiliate companies, agents, employees, and independent contractors from liability, even if caused by negligence, in connection with the Equifax Information Services and from any loss or expense suffered by Qualified Subscriber resulting directly or indirectly from Equifax Information.
4. Qualified Subscriber will be charged for the Equifax Information Services by CRA, which is responsible for paying Equifax for the Equifax Information Services.
5. Written notice by either party to the other will terminate these Terms and Conditions effective ten (10) days after the date of that notice, but the obligations and agreements set forth in Paragraphs 1, 2, 3, 6, 7, and 8 herein will remain in force.
6. Qualified Subscriber certifies that it will order Equifax Information Services that are consumer reports, as defined by the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (“FCRA”), only when Qualified Subscriber intends to use that consumer report information: (a) in accordance with the FCRA and all state law counterparts; and (b) for one of the following permissible purposes: (i) in connection with a credit transaction involving the consumer on whom the consumer report is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; (ii) in connection with the underwriting of insurance involving the consumer; (iii) as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; (iv) when Qualified Subscriber otherwise has a legitimate business need for the information either in connection with a business transaction that is initiated by the consumer, or to review an account to determine whether the consumer continues to meet the terms of the accounts; or (v) for employment purposes; provided, however, that QUALIFIED SUBSCRIBER IS NOT AUTHORIZED TO REQUEST OR RECEIVE CONSUMER REPORTS FOR EMPLOYMENT PURPOSES UNLESS QUALIFIED SUBSCRIBER HAS AGREED IN WRITING TO THE TERMS AND CONDITIONS OF THE EQUIFAX PERSONA SERVICE. Qualified Subscriber will comply with applicable federal and state laws, rules and regulations relating to such party’s performance of its obligations under these Terms and Conditions including, but not limited to, all applicable consumer financial protection laws. In addition, Qualified Subscriber shall not engage in any unfair, deceptive, or abusive acts or practices. Qualified Subscriber will use each consumer report ordered under these Terms and Conditions for one of the foregoing purposes and for no other purpose.
7. It is recognized and understood that the FCRA provides that anyone “who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under Title 18, United States Code, imprisoned for not more than two (2) years, or both.” Equifax may periodically conduct audits of Qualified Subscriber regarding its compliance with these Terms and Conditions, including, without limitation, the FCRA, other certifications and security provisions in these Terms and Conditions. Audits will be conducted by mail whenever possible and will require Qualified Subscriber to provide documentation as to permissible use of particular consumer reports. Qualified Subscriber gives its consent to Equifax to conduct such audits and agrees that any failure to cooperate fully and promptly in the conduct of any audit, or Qualified Subscriber’s material breach of these Terms and Conditions, constitute grounds for immediate suspension of service or termination of these Terms and Conditions, notwithstanding Paragraph 5 above. If Equifax terminates these Terms and Conditions due to the conditions in the preceding sentence, Qualified Subscriber (i) unconditionally releases and agrees to hold Equifax harmless and indemnify it from and against any and all liabilities of whatever kind or nature that may arise from or relate to such termination, and (ii) covenants it will not assert any claim or cause of action of any kind or nature against Equifax in connection with such termination.
8. California Law Certification. Qualified Subscriber will refer to Exhibit 1-A attached hereto in making the following certification, and Qualified Subscriber agrees to comply with all applicable provisions of the California Credit Reporting Agencies Act. Qualified Subscriber must be able to answer the following questions in the affirmative:
   1. Do you, Qualified Subscriber certify you are a “retail seller,” as defined in Section 1802.3 of the California Civil Code and referenced in Exhibit A1?
   2. Do you, Qualified Subscriber issue credit to consumers who appear in person on the basis of an application for credit submitted in person?
9. Vermont Certification. Qualified Subscriber certifies that it will comply with applicable provisions under Vermont law. In particular, Qualified Subscriber certifies that it will order information services relating to Vermont residents that are credit reports as defined by the Vermont Fair Credit Reporting Act (“VFCRA”), only after Qualified Subscriber has received prior consumer consent in accordance with VFCRA Section 2480e and applicable Vermont Rules. Qualified Subscriber further certifies that the attached copy of Section 2480e (Exhibit 1-B attached hereto) of the Vermont Fair Credit Reporting Statute was received from Equifax.
10. Data Security.
    10.1. This Paragraph 10 applies to any means through which Qualified Subscriber orders or accesses the Equifax Information Services including, without limitation, system-to-system, personal computer, or the Internet.For the purposes of this Paragraph 10, the term “Authorized User” means a Qualified Subscriber employee that Qualified Subscriber has authorized to order or access the Equifax Information Services and who is trained on Qualified Subscriber’s obligations under these Terms and Conditions with respect to the ordering and use of the Equifax Information Services including Qualified Subscriber’s FCRA and other obligations with respect to the access and use of consumer reports.10.2. Qualified Subscriber will, with respect to handling Equifax Information:(a) ensure that only Authorized Users can order or have access to the Equifax Information;
    (b) ensure that Authorized Users do not order consumer reports for personal reasons or provide them to any third party except as permitted by this Agreement;
    (c) inform Authorized Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment,
    (d) ensure that all devices used by Qualified Subscriber to order or access the Equifax Information are placed in a secure location and accessible only by Authorized Users, and that such devices are secured when not in use, through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures;
    (e) take all necessary measures to prevent unauthorized ordering of or access to the Equifax Information by any person other than an Authorized User for permissible purposes, including, without limitation, limiting the knowledge of the Qualified Subscriber security codes, member numbers, User IDs, and any passwords Qualified Subscriber may use (collectively, “Security Information”), to those individuals with a need to know. In addition, the User IDs must be unique to each person, and the sharing of User IDs or passwords is prohibited,
    (f) change Qualified Subscriber’s user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing the Equifax Information, or if Qualified Subscriber suspects an unauthorized person has learned the password. Additionally, perform at least quarterly entitlement reviews to recertify and validate Authorized User’s access privileges,
    (g) adhere to all security features in the software and hardware Qualified Subscriber uses to order or access the Equifax Information, including the use of IP restriction;
    (h) implement secure authentication practices when providing User ID and passwords to Authorized Users, including but not limited to using individually assigned email addresses and not shared email accounts;
    (i) in no event access the Equifax Information via any unregistered hand-held wireless communication device, that have not gone through Client’s device enrollment, access, and authentication process. Such process shall be reviewed and approved by Equifax prior to allowing access to Equifax Information via any hand-held communication device;
    (j) not use non-company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs and DVDs) to store the Equifax Information. In addition, Equifax Credit Information must be encrypted when it is not in use and all printed Equifax Information, must be stored in a secure, locked container when not in use and must be completely destroyed when no longer needed by cross-cut shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose;
    (k) if Qualified Subscriber sends, transfers or ships any Equifax Information, encrypt the Equifax Information using minimum standards of Advanced Encryption Standard (AES), minimum 128-bit key, encrypted algorithms, which standards may be modified from time to time by Equifax;
    (l) not ship hardware or software between Qualified Subscriber’s locations or to third parties without deleting all Security Information and any consumer information;
    (m) monitor compliance with the obligations of this Section 10, and immediately notify Equifax if Qualified Subscriber suspects or knows of any unauthorized access or attempt to access the Equifax Information, including, without limitation, a review of each Equifax invoice for the purpose of detecting any unauthorized activity;
    (n) if, subject to Equifax approval, Qualified Subscriber uses a service provider to establish access to the Equifax Information, be responsible for the service provider’s use of Security Information, and ensure the service provider safeguards such Security Information through the use of security requirements that are no less stringent than those applicable to Qualified Subscriber under this Section 10;
    (o) use commercially reasonable efforts to assure data security when disposing of any consumer report information or record obtained from Equifax. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of Qualified Subscriber’s activities (e.g. the Federal Trade Commission, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records.
    (p) use commercially reasonable efforts to secure Equifax Information when stored on servers, subject to the following requirements: (i) servers storing Equifax Information must be separated from the Internet or other public networks by firewalls which are managed and configured to meet industry accepted best practices, (ii) protect Equifax Information through multiple layers of network security, including but not limited to industry-recognized firewalls, routers, and intrusion detection/prevention devices (IDS/IPS), (iii) secure access (both physical and network) to systems storing Equifax Information, which must include authentication and passwords that are changed at least every ninety (90) days, and (iii) all servers must be kept current and patched on a timely basis with appropriate security-specific system patches, as they are available;
    (q) not allow Equifax Information to be displayed via the Internet unless utilizing, at a minimum, a three-tier architecture configured in accordance with industry best practices;
    (r) use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review;
    (s) provide prompt notification to Equifax of any change in address or office location and is subject to an onsite visit of the new location by Equifax or its designated representative, and;
    (t) in the event Qualified Subscriber has a Security Incident involving Equifax Information, Qualified Subscriber will fully cooperate with Equifax in a security assessment process and promptly remediate any finding. For purposes of this Section VII “Security Incident” means any actual breach, theft or unauthorized access, use, misuse, theft, vandalism, modification, or transfer of or to Information Services or Equifax Information.10.3 A Cloud Service provider (“CSP”) is a company that offers a component of cloud computing. CSPs generally offer Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Qualified Subscriber may use a CSP to process, transmit, or store Equifax Information, subject to the following conditions: (i) Qualified Subscriber obtains Equifax’s written, and (ii) Qualified Subscriber certifies that Qualified Subscriber will, and will contractually obligate it’s CSP to, follow Equifax minimum requirements for cloud computing and storage, including, but not limited to:
    (a) Data at rest encryption of at least AES-256 shall be used where Equifax Information is stored.
    (b) An inventory shall be kept of all Equifax Information within the cloud environment.
    (c) Equifax Information shall be logically and/or physically separated in multi-tenant environments in accordance industry standards.
    (d) Utilization of secure data destruction techniques shall be used to destroy Equifax Information in accordance with industry standards.
    (e) Assets that are no longer needed for legal or other retention purposes shall be destroyed in accordance with industry standard.
    (f) Incident handling and forensic support shall be provided in the event of an investigation or Security Incident.
    (g) Cloud hosted systems shall be patched at the most current levels and have vulnerabilities addressed in accordance with industry standards.
    (h) Information systems and infrastructures shall follow industry security hardening standard such as DISA STIG or CIS guidance.
    (i) Qualified Subscriber or Qualified Subscriber’s application environment shall be certified by an independent third party (i.e. SOC 2 Type 2, PCI/ISO 27001/NIST).
    (j) Third parties providing support services to the Qualified Subscriber or Qualified Subscriber’s CSP shall not have access to Equifax Information without prior consent of Equifax.
    (k) Qualified Subscriber shall manage all encryption keys within the Qualified Subscriber’s CSP.
11. Subscriber may access, use and store Equifax Credit Information only at or from locations within the territorial boundaries of the United States, Canada, and the United States territories of Puerto Rico, Guam and the Virgin Islands (the “Permitted Territory”). Subscriber may not access, use or store Equifax Credit Information at or from, or send it to any location outside of the Permitted Territory without first obtaining Equifax’s prior written consent and entering into such written agreements as Equifax may require.
12. These Terms and Conditions will be governed by and construed in accordance with the laws of the State of Georgia, without giving effect to its conflicts of law’s provisions. These Terms and Conditions constitute the entire agreement of the parties with respect to Qualified Subscriber receiving Equifax Information Services and no changes in these Terms and Conditions may be made except in writing by an officer of Equifax. By continuing under the Terms and Conditions, you agree that:Qualified Subscriber has read and understands these Terms and Conditions.Qualified Subscriber has read the attached Exhibit 1-C “Notice to Users of Consumer Reports, Obligations of Users” which explains Qualified Subscriber’s obligations under the FCRA as a user of consumer report information. (To be initialed by the person signing on behalf of Qualified Subscriber.)

EXHIBIT 1-A to CRA Qualified Subscriber Terms and Conditions
State Compliance Matters

California Retail Seller

Provisions of the California Consumer Credit Reporting Agencies Act, as amended effective July 1, 1998, will impact the provision of consumer reports to Qualified Subscriber under the following circumstances: (a) if Qualified Subscriber is a “retail seller” (defined in part by California law as “a person engaged in the business of selling goods or services to retail buyers”) and is selling to a “retail buyer” (defined as “a person who buys goods or obtains services from a retail seller in a retail installment sale and not principally for the purpose of resale”) and a consumer about whom Qualified Subscriber is inquiring is applying, (b) in person, and (c) for credit. Under the foregoing circumstances, Equifax, before delivering a consumer report to Qualified Subscriber, must match at least three (3) items of a consumer’s identification within the file maintained by Equifax with the information provided to Equifax by Qualified Subscriber in connection with the in-person credit transaction. Compliance with this law further includes Qualified Subscriber’s inspection of the photo identification of each consumer who applies for in-person credit, mailing extensions of credit to consumers responding to a mail solicitation at specified addresses, taking special actions regarding a consumer’s presentment of a police report regarding fraud, and acknowledging consumer demands for reinvestigations within certain time frames.

If Qualified Subscriber designated in Paragraph 8 of the Terms and Conditions that it is a “retail seller,” Qualified Subscriber certifies that it will instruct its employees to inspect a photo identification of the consumer at the time an application is submitted in person. If Qualified Subscriber is not currently, but subsequently becomes a “retail seller,” Qualified Subscriber agrees to provide written notice to Equifax prior to ordering credit reports in connection with an in-person credit transaction, and agrees to comply with the requirements of the California law as outlined in this Exhibit, and with the specific certifications set forth herein.

Qualified Subscriber certifies that, as a “retail seller,” it will either (a) acquire a new Qualified Subscriber number for use in processing consumer report inquiries that result from in-person credit applications covered by California law, with the understanding that all inquiries using this new Qualified Subscriber number will require that Qualified Subscriber supply at least three items of identifying information from the applicant; or (b) contact Qualified Subscriber’s Equifax sales representative to ensure that Qualified Subscriber’s existing number is properly coded for these transactions.

EXHIBIT 1-B to CRA Qualified Subscriber Terms and Conditions
Vermont Fair Credit Reporting Contract Certification

Qualified Subscriber acknowledges that it subscribes to receive various information services from Equifax Information Services LLC (“Equifax”) in accordance with the Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480a (2016), as amended (the “VFCRA”) and the Federal Fair Credit Reporting Act, 15, U.S.C. 1681 et. Seq., as amended (the “FCRA”) and its other state law counterparts. In connection with Qualified Subscriber’s continued use of Equifax information services in relation to Vermont consumers, Qualified Subscriber hereby certifies as follows:

Vermont Certification. Qualified Subscriber certifies that it will comply with applicable provisions under Vermont law. In particular, Qualified Subscriber certifies that it will order information services relating to Vermont residents, that are credit reports as defined by the VFCRA, only after Qualified Subscriber has received prior consumer consent in accordance with VFCRA § 2480e and applicable Vermont Rules. Qualified Subscriber further certifies that the attached copy of § 2480e of the Vermont Fair Credit Reporting Statute was received from Equifax.

Attachment to EXHIBIT 1-B

Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (2016)

§ 2480e. Consumer consent

(a) A person shall not obtain the credit report of a consumer unless:
(1) the report is obtained in response to the order of a court having jurisdiction to issue such an order; or
(2) the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer.
(b) Credit reporting agencies shall adopt reasonable procedures to ensure maximum possible compliance with subsection (a) of this section.
(c) Nothing in this section shall be construed to affect:
(1) the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account; and
(2) the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission.
____________________________________________________________________________________________

VERMONT RULES *** CURRENT THROUGH DECEMBER 16, 2016 ***
AGENCY 06. OFFICE OF THE ATTORNEY GENERAL
SUB-AGENCY 031. CONSUMER PROTECTION DIVISION
CHAPTER 012. Consumer Fraud–Fair Credit Reporting
RULE CF 112 FAIR CREDIT REPORTING
CVR 06-031-012, CF 112.03 (2016)
CF 112.03 CONSUMER CONSENT

(a) A person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction.

(b) Consumer consent required pursuant to 9 V.S.A. §§ 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicates his or her consent by providing his or her signature.

(c) The fact that a clear and adequate written consent form is signed by the consumer after the consumer’s credit report has been obtained pursuant to some other form of consent shall not affect the validity of the earlier consent.

EXHIBIT 1-C to CRA Qualified Subscriber Terms and Conditions
NOTICE TO USERS OF CONSUMER REPORTS:
OBLIGATIONS OF USERS UNDER THE FCRA

All users of consumer reports must comply with all applicable regulations. Information and applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau’s website, www.consumerfinance.gov/learnmore.

The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Consumer Financial Protection Bureau’s (CFPB) website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the CFPB’s website. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA.

The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher.

I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS

A. Users Must Have a Permissible Purpose

Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

• As ordered by a court or a federal grand jury subpoena. Section 604(a)(1)
• As instructed by the consumer in writing. Section 604(a)(2)

• For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account. Section 604(a)(3)(A)
• For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Sections 604(a)(3)(B) and 604(b)
• For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
• When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)

• To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)

• To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status. Section 604(a)(3)(D)
• For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)
• For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604 (a)(5)
In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of “prescreened” information are described in Section VII below.

B. Users Must Provide Certifications

Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

A. C. Users Must Notify Consumers When Adverse Actions Are Taken

The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
1. Adverse Actions Based on Information Obtained From a CRA
If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following:
• The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.
• A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.
• A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days.
• A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.

2. Adverse Actions Based on Information Obtained From Third Parties Who Are Not Consumer Reporting Agencies
If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer’s written request.

3. Adverse Actions Based on Information Obtained From Affiliates
If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.

D. Users Have Obligations When Fraud and Active Duty Military Alerts are in Files

When a consumer has placed a fraud alert, including one relating to identity theft, or an active-duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active-duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert.

E. Users Have Obligations When Notified of an Address Discrepancy

Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed. Federal regulations are available at www.consumerfinance.gov/learnmore

F. Users Have Obligations When Disposing of Records

Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. Federal regulations have been issued that cover disposal.

II. CREDITORS MUST MAKE ADDITIONAL DISCLOSURES

If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the CFPB.

Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan Applicant”).

III. OBLIGATIONS OF USERS WHEN CONSUMER REPORTS ARE OBTAINED FOR EMPLOYMENT PURPOSES

. A. Employment Other Than in the Trucking Industry

If information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:

• Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.

• Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.

• Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer.

• Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of consumer’s rights. (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken.

An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2)

The procedures for investigative consumer reports and employee misconduct investigations are set forth below.

• B. Employment in the Trucking Industry

Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.

IV. OBLIGATIONS WHEN INVESTIGATIVE CONSUMER REPORTS ARE USED

Investigative consumer reports are a special type of consumer report in which information about a consumer’s character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:

• The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)

• The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure described below.

• Upon the written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed, or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.

V. SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONS

Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.

VI. OBLIGATIONS OF USERS OF MEDICAL INFORMATION

Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report, or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in federal regulations – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order).

VII. OBLIGATIONS OF USERS OF “PRESCREENED” LISTS

The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(l), 604(c), 604(e), and 615(d). This practice is known as “prescreening” and typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:

• Information contained in a consumer’s CRA file was used in connection with the transaction.

• The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.

• Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral.

• The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system.

In addition, once the CFPB has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The relevant regulation is 12 CFR 1022.54.

VIII. OBLIGATIONS OF RESELLERS

A. Disclosure and Certification Requirements

Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:

• Disclose the identity of the end-user to the source CRA.

• Identify to the source CRA each permissible purpose for which the report will be furnished to the end-user.

• Establish and follow reasonable procedures to ensure that reports are resold only for permissible purposes, including procedures to obtain:

(1) the identity of all end-users;
(2) certifications from all users of each purpose for which reports will be used; and
(3) certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this information before selling the report.

B. Reinvestigations by Resellers

Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to the consumer.

C. Fraud Alerts and Resellers

Section 605A(f) requires resellers who receive fraud alerts or active-duty alerts from another consumer reporting agency to include these in their reports.

IX. LIABILITY FOR VIOLATIONS OF THE FCRA

Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.

The CFPB’s Web site, www.consumerfinance.gov/learnmore, has more information about the FCRA, including publications for businesses and the full text of the FCRA.

Citations for FCRA sections in the U.S. Code, 15 U.S.C. § 1681 et seq.:

Section 602 15 U.S.C. 1681
Section 603 15 U.S.C. 1681a
Section 604 15 U.S.C. 1681b
Section 605 15 U.S.C. 1681c
Section 605A 15 U.S.C. 1681cA
Section 605B 15 U.S.C. 1681cB
Section 606 15 U.S.C. 1681d
Section 607 15 U.S.C. 1681e
Section 608 15 U.S.C. 1681f
Section 609 15 U.S.C. 1681g
Section 610 15 U.S.C. 1681h
Section 611 15 U.S.C. 1681i
Section 612 15 U.S.C. 1681j
Section 613 15 U.S.C. 1681k
Section 614 15 U.S.C. 1681l
Section 615 15 U.S.C. 1681m
Section 616 15 U.S.C. 1681n
Section 617 15 U.S.C. 1681o
Section 618 15 U.S.C. 1681p
Section 619 15 U.S.C. 1681q
Section 620 15 U.S.C. 1681r
Section 621 15 U.S.C. 1681s