Master User Agreement

Services
SecureTrac Risk Management shall provide consumer reports and investigative consumer reports (“Screening Report”), as those terms are defined in the federal Fair Credit Reporting Act, 15 U.S.C. § 1681 (“FCRA”), at User’s request in connection with any pre-employment or post-employment background screening of applicants (the “Applicant”) or retention of employees (the “Employee”). Screening Reports may include such information as employment history, credit reports, motor vehicle records, education verifications, criminal and civil records and other background information. In the case of investigative consumer reports, SecureTrac Risk Management may also provide personal references collected and processed by SecureTrac Risk Management through various channels of information.

Compliance with Applicable Laws
Pursuant to the FCRA, SecureTrac Risk Management is a “consumer reporting agency” in the business of providing Screening Reports to third parties when that third party has a permissible purpose under the FCRA. Accordingly, the FCRA places certain legal obligations and responsibilities on both SecureTrac Risk Management and User for the reporting and use of Screening Reports when used for background screening purposes. SecureTrac Risk Management does not, and cannot provide legal advice or opinions with respect to User’s compliance with applicable Federal and state laws and regulations. SecureTrac Risk Management recommends User consult legal counsel regarding their overall screening program compliance. The FCRA provides that any person who knowingly and willfully obtains information on an individual from a consumer reporting agency, such as SecureTrac Risk Management, under false pretenses shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both.III. Term and Termination Except as set forth herein, this Agreement will become effective on the Effective Date and will continue in full force and effect until it is terminated by either party pursuant to the terms contained herein. Either party may terminate this Agreement for convenience upon thirty (30) days written notice to the other party. Either party may terminate this Agreement if the other party materially breaches this Agreement and such breaching party fails to cure the breach, or implement a plan of action that is mutually acceptable to the parties to cure such breach, within ten (10) days after receipt of written notice from the non-breaching party specifying in reasonable detail the nature of the breach; provided, however, that any such plan of action shall include a timeline for completion of activities under such plan to cure such breach, and if the breaching party fails to meet such timeline, the non-breaching party may terminate this Agreement immediately upon written notice to the breaching party. Upon the termination of this Agreement, the following shall apply: (i) the parties shall cooperate to effect an orderly, efficient, effective and expeditious termination of the activities hereunder; (ii) SecureTrac Risk Management shall return to User any and all User-furnished items delivered by User to SecureTrac Risk Management hereunder; (iii) SecureTrac Risk Management shall have no obligation to perform any services hereunder after the effective date of the termination; (iv) User shall pay to SecureTrac Risk Management any service fees or other amounts payable for the services performed hereunder prior to the effective date of the termination; and (v) the parties’ respective rights and obligations under this paragraph, and the covenants contained in this Agreement which, by their terms, require performance by the parties after the expiration or termination of this Agreement shall survive and be enforceable notwithstanding the expiration or termination of this Agreement for any reason whatsoever.

Independent Contractor
SecureTrac Risk Management shall be and act as an independent contractor (and not as the agent or representative of User) in the performance of this Agreement. This Agreement shall not be interpreted or construed as: (i) creating or evidencing any association, joint venture, partnership or franchise between the parties; (ii) imposing any partnership or franchisor obligation or liability on either party; or (iii) prohibiting or restricting SecureTrac Risk Management’s performance of any services for any third party.

Information Security
In addition to maintaining reasonable procedures to assure compliance with the FCRA and the confidentiality of personal information contained in the Screening Reports, each party shall implement commercially available and appropriate administrative, physical and technical security procedures and safeguards to prevent the unauthorized disclosure of confidential information in the Screening Reports and to maintain the confidentiality and the security of such information. User shall securely store any hard copy of a Screening Report and protect it against release and disclosure to unauthorized personnel or third parties. In furtherance of that obligation, User shall provide to SecureTrac Risk Management the name of the person requesting the information for each Screening Report request and, where applicable, shall provide the name of the individual who has been designated as the principal Account Administrator.

Permissible Purpose and Equal Employment Opportunity
User certifies pursuant to section 1681b of the FCRA that the information contained in the Screening Report(s) provided by SecureTrac Risk Management will be used for employment purposes, including evaluating an individual (Applicant or Employee) for employment, promotion, reassignment or retention as an employee, only and for no other purpose. User further certifies that it will not use the Screening Report(s) in violation of any applicable Federal or state equal employment opportunity law or regulation. User shall notify SecureTrac Risk Management immediately of any change in permissible purpose for which the Screening Report(s) is requested and used and will not change its use of the Screening Report(s) without SecureTrac Risk Management’s written authorization. VII.Disclosure and Written Authorization from Applicant or Employee User certifies that it shall provide Applicant or Employee with a clear and conspicuous disclosure, in writing, at any time before a Screening Report is procured, or caused to be procured, giving notice to the Applicant or Employee that such will be obtained for employment purposes. Such disclosure shall be contained in a document containing solely of such disclosure. User certifies that it shall obtain from the Applicant or Employee written authorization to obtain and use the Screening Report once the above stated disclosure to Applicant or Employee has been provided and will maintain copies of all written authorizations for a minimum of five (5) years from the date of inquiry.VIII. Adverse Action User certifies that it shall follow prescribed adverse action procedures as spelled out in sections 1681b and 1681m of the FCRA, as applicable. This includes the requirement to provide an Applicant or Employee with a copy of the Screening Report and A Summary of Your Rights under the Fair Credit Reporting Act before taking any adverse action against the Applicant or Employee, based in whole or in part, on a Screening Report provided by SecureTrac Risk Management. User has additional obligations under the FCRA if any adverse action is in fact taken against the Applicant or Employee with respect to their employment.

Basis for Employment Decisions
User shall base all employment decisions and actions on its own policies and procedures and acknowledges and agrees that SecureTrac Risk Management employees are not authorized to do so nor can they render legal advice or opinions regarding the Screening Report(s) and User’s compliance with the FCRA and other applicable laws and regulations.

Confidentiality
User acknowledges and understands its obligation to maintain the confidentiality and integrity of any information received by User from SecureTrac Risk Management. All information requested by User is for User’s exclusive use and User shall take reasonable steps to ensure that all information provided by SecureTrac Risk Management in the Screening Report will be held in strict confidence, will be kept confidential and will not be disclosed to any third party not involved in the employment decision for which the information is sought. User shall ensure that those employees authorized to request a Screening Report from SecureTrac Risk Management shall not attempt to obtain any Screening Report on themselves, associates, or any other person except in the exercise of their official duties. Screening Reports provided by SecureTrac Risk Management are intended for a one-time use by User and any use of a Screening Report provided by SecureTrac Risk Management, other than for the use provided for in this Agreement is prohibited, including, but not limited to resale or other commercial use, misrepresentation, improper use of the information or access to the information by unauthorized personnel, whether intentionally or due to carelessness, and may subject User to criminal and/or civil liability under the FCRA and other applicable Federal, state and local laws. The term “Confidential Information” shall mean this Agreement and all data, trade secrets, business information and other information of any kind whatsoever that one party hereto discloses, in writing, orally, visually or in any other medium to the other party hereto or to which recipient obtains access and that relates to the disclosing party. Each of the parties, as recipients, hereby agree that they shall not disclose Confidential Information of the disclosing party to any third party during or after the term of this Agreement, other than on a “need to know” basis and then only to recipient’s employees, provided that such persons are subject to a written confidentiality agreement that shall be no less restrictive than the provisions of this Section. Recipients shall not use or disclose Confidential Information of the disclosing party for any purpose other than to carry out this Agreement. Nothing in this Section will prohibit or limit the receiving party’s use of information if: (i) at the time of disclosure hereunder such information is generally available to the public; (ii) after disclosure hereunder such information becomes generally available to the public, except through breach of this Agreement by the receiving party; (iii) the receiving party can demonstrate such information was in its possession prior to the time of disclosure by the disclosing party; (iv) the information becomes available to the receiving party from a third party which is not legally prohibited from disclosing such information; (v) the receiving party can demonstrate the information was developed by or for it independently without the use of such information; or (vi) disclosure is required under applicable law or regulation or pursuant to a court order or court proceeding, provided that the receiving party promptly notifies the other party of such request or requirement so that such party may seek an appropriate protective order or waive compliance with this Agreement.

Use and Protection of Access Codes
If User is issued an access code to be used for Internet access to SecureTrac Risk Management’s services (the “Access Code”), User shall only publicize the Access Code to personnel on a need-to-know basis. Any log-on or password information provided to User in connection with the Access Code shall be provided only to an “Account Administrator” and specific individuals designated as “Authorized Users”. User shall notify SecureTrac Risk Management immediately upon any change of the Account Administrator or Authorized Users. If User learns or suspects that unauthorized use of its account is taking place, User shall immediately notify SecureTrac Risk Management. XII. Disposal of Screening Reports User shall properly dispose of Screening Reports in its possession in a manner which will protect against unauthorized access or use thereof or any actions that would otherwise jeopardize the confidentiality of Applicant or Employee’s personal information contained in the Screening Report. This means having policies and procedures in place that require the burning, pulverizing, or shredding of papers containing personal information so that the information cannot practically be read or reconstructed. If such information is in electronic format, this includes having policies and procedures in place to destroy or erase such personal information so it cannot practically be read or reconstructed. XIII. Audit User understands and agrees that, in order to ensure compliance with applicable laws, regulations or rules, including regulatory agency requirements, obligations under its contracts with its data providers, and SecureTrac Risk Management’s internal policies, SecureTrac Risk Management, or its designee, may conduct periodic reviews of User’s use of the services provided by SecureTrac Risk Management and may, upon reasonable notice and during User’s regular business hours, audit User’s records, processes and procedures related to User’s use, storage and disposal of those services, the Screening Reports and information received therefrom, including performing site visits at User’s premises. User shall cooperate fully in connection with any such audit, including bearing the cost of such process, and will allow, or obtain, access to such systems, properties, records and personnel as SecureTrac Risk Management may reasonably require for such audit. User agrees to respond to any such audit inquiry within ten (10) business days, unless an expedited response is required by SecureTrac Risk Management. Violations of this Agreement, applicable law, regulations or rules, or applicable policies, discovered in any review and/or audit by SecureTrac Risk Management will be subject to immediate action including, but not limited to, suspension or termination of the services by SecureTrac Risk Management as well as legal action, and/or referral to governmental regulatory agencies. XIV. Notices User acknowledges receipt of the following Federal notices:

  • Notice to Users of Consumer Reports: Obligations of Users under the Fair Credit Reporting Act, attached as Exhibit A; and
  • A Summary of Your Rights under the Fair Credit Reporting Act, attached as Exhibit B.

Payment Requirements/Collection
User Agrees to promptly pay for all services rendered hereunder in accordance with SecureTrac Risk Management’s employment screening schedule of fees. Pricing is subject to change at any time with written notice. User agrees to pay all applicable charges within thirty (30) days of receipt of the information or Screening report requested. All monetary obligations to SecureTrac Risk Management for services rendered which are past due fifteen days or more may, at the election of SecureTrac Risk Management, bear interest at the rate of one and one-half percent (1½ %) per month and/or relinquish User’s access privileges and release SecureTrac Risk Management from any obligation to perform any further services. In the event that legal action is necessary to obtain the payment of any monetary obligations to SecureTrac Risk Management, the User shall be liable to SecureTrac Risk Management for all costs and reasonable attorneys’ fees incurred by SecureTrac Risk Management in collection of such obligations. XVI. Attorneys’ Fees and Costs In the event a dispute arises with respect to this Agreement, the party prevailing in such dispute shall be entitled to recover all expenses, including, without limitation, reasonable attorneys’ fees and expenses incurred in ascertaining such party’s rights, and in preparing to enforce, or in enforcing such party’s rights under this Agreement, whether or not it was necessary for such party to institute suit or submit the dispute to arbitration. XVII. Indemnification and Limitation of Liability Indemnification by SecureTrac Risk Management. SecureTrac Risk Management agrees to and does hereby indemnify and hold User harmless from and against any and all loss, cost, expense, claim, or liability (including, but not limited to reasonable costs of litigation and attorneys’ fees) arising from any claim or action brought by a third person against User that arises out of, results from, or is based upon the gross negligence or intentional misconduct of SecureTrac Risk Management. Indemnification by User. User shall indemnify, defend and hold harmless SecureTrac Risk Management, its vendors, suppliers, officers and employees from and against any and all loss, cost, expense, claim, or liability (including, but not limited to reasonable costs of litigation and attorney’s fees) arising from any claim or action brought by a third person that arises out of, results from, or is based upon any negligent acts or omission, negligence or intentional misconduct of User or its contractors or employees, or any breach of the terms and conditions of this Agreement by User. Limitation of Liability.  SecureTrac Risk Management SHALL NOT BE LIABLE TO USER, OR ANY THIRD PERSON TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, FOR INDIRECT, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, MULTIPLE, INCIDENTAL, OR SPECIAL DAMAGES (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOST REVENUES, LOST PROFITS, LOST SAVINGS, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF SUCH PARTY HAS BEEN APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING. SecureTrac Risk Management’S LIABILITY HEREUNDER IS LIMITED TO LOWER OF (i) THE SUM OF FIVE HUNDRED DOLLARS ($500.00 US) PER REPORT DISTRIBUTED BY SecureTrac Risk Management HEREUNDER THAT PROXIMATELY CAUSED, OR ALLEGEDLY PROXIMATELY CAUSED, THE COST OR DAMAGE ALLEGEDLY SUFFERED BY USER OR (ii) AN AGGREGATE AMOUNT NOT TO EXCEED TWENTY FIVE THOUSAND DOLLARS ($25,000.00 US). THE REMEDIES SET FORTH IN THIS PARAGRAPH AND TERMINATION OF THIS AGREEMENT PURSUANT TO THE TERMS HEREOF ARE USER’S SOLE AND EXCLUSIVE REMEDIES FOR CLAIMS OR DAMAGES ARISING OUT OF OR RELATING IN ANY WAY TO THIS AGREEMENT, THE REPORTS, OR THE SERVICES TO BE DELIVERED BY SecureTrac Risk Management HEREUNDER. XVIII. Warranty SecureTrac Risk Management represents and warrants that services will be performed in a diligent and professional manner in accordance with applicable industry standards. SecureTrac Risk Management shall use its best efforts to provide high quality, timely and accurate information to User, however User recognizes that SecureTrac Risk Management cannot guarantee the accuracy of the information provided because such information is obtained from public records and other third party sources that may not always be accurate or current. The Screening Report obtained by SecureTrac Risk Management is derived from databases and records that have been created and maintained by various government agencies, private companies, and other contributors that are not under the control of SecureTrac Risk Management. Responsibility for the accuracy of the information contained in the Screening Report and these databases and records rests solely in the contributor. The User waives any and all claim or claims against SecureTrac Risk Management arising out of or related to the accuracy of the Screening Report, databases and records. XIX.Force Majeure SecureTrac Risk Management shall not be liable for, or be considered to be in breach or default on account of, any delay or failure to perform any services due to any cause or condition beyond its reasonable control (including, but not limited to, any: fire, storm, flood, wind and acts of God or the elements; breakdown of or damage to any equipment, facilities or other property; unavailability of materials, supplies, equipment, transportation, services and other necessary items; and any act or omission of User).

Notice
Except as otherwise agreed to in writing by the parties, any notice required or authorized by this Agreement to be given by one party to the other party shall be sent either: (i) electronically by email; (ii) by overnight or 2nd day mail; or (iii) by facsimile transmission with confirmed receipt to the other party at the address or, as appropriate, facsimile number, and marked for the attention of such person as specified in this Agreement. Any notice sent electronically by email shall be deemed to have been received by the other party upon delivery to the email address specified in this Agreement. Any notice sent by overnight or 2nd day mail shall be deemed to have been duly served as of the date of confirmation of such delivery. Any notice sent by confirmed facsimile transmission under this Section shall be deemed to have been duly received by the other party on the date of transmission. XXI. Choice of Law and Venue This agreement is deemed to be made, executed and performed in the State of California. This agreement shall be governed by and shall be construed in accordance with the laws of the State of California, without reference to conflicts of laws principles, and applicable United States federal laws. The parties to this agreement consent to jurisdiction and venue in the state and Federal courts located in the State of California, County of Orange. XXII. Waiver The failure of either party to insist in any one or more cases upon the strict performance of any term, covenant or condition of this Agreement will not be construed as a waiver of a subsequent breach of the same or any other covenant, term or condition; nor shall any delay or omission by either party to seek a remedy for any breach of this Agreement be deemed a waiver by either party of its remedies or rights with respect to such a breach. XXIII. Amendment This Agreement may be amended, modified, or supplemented only by a writing that refers explicitly to this Agreement and that is signed by authorized representatives on behalf of each party. XXIV. Severability If any part of this Agreement is found invalid or unenforceable, that part will be enforced to the maximum extent permitted by law and the remainder of this Agreement will remain fully in force.XXV. Entire Agreement; Purpose and Effect of Agreement This Agreement, together with any Exhibits, constitutes the final and entire agreement between the parties relating to its subject matter and supersedes any and all prior or contemporaneous letters, memoranda, representations, discussions, negotiations, understandings and agreements, whether written or oral, with respect to such subject matter, all of the same being merged herein. The Exhibits attached hereto are incorporated herein by reference. XXVI. Assignment User may not sell, transfer, assign or otherwise dispose of any of its rights or obligations under this Agreement to any other person, without the express written consent of SecureTrac Risk Management. Any attempt at assignment in violation of this section XXVI shall be void. XXVII. Counterparts This Agreement may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute a single instrument. XXVIII. Headings The descriptive headings contained herein are for convenience of reference only and shall not affect in any way the meaning or interpretation of this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement through their duly authorized representatives effective as of the Effective Date.


EXHIBIT A TO MASTER USER AGREEMENT All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau’s website, www.consumerfinance.gov/learnmore. NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA The Fair Credit Reporting Act (FCRA), 15 U.S.C. §1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Bureau of Consumer Financial Protection’s website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the Bureau’s website. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA. The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher.

OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS A. Users Must Have a Permissible Purpose
Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

  • As ordered by a court or a federal grand jury subpoena.

Section 604(a)(1)

  • As instructed by the consumer in writing.

Section 604(a)(2)

  • For the extension of credit as a result of an application from a consumer, or the review or

collection of a consumer’s account. Section 604(a)(3)(A)

  • For employment purposes, including hiring and promotion decisions, where the consumer

has given written permission. Sections 604(a)(3)(B) and 604(b)

  • For the underwriting of insurance as a result of an application from a consumer.

604(a)(3)(C) Section

  • When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)
  • To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)
  • To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial

responsibility or status. Section 604(a)(3)(D)

  • For use by a potential investor or servicer, or current insurer, in a valuation or assessment

of the credit or prepayment risks associated with an existing credit obligation. 604(a)(3)(E) Section

  • For use by state and local officials in connection with the determination of child support

payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5) In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of “prescreened” information are described in Section VII below.

Users Must Provide Certifications
Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

Users Must Notify Consumers When Adverse Actions Are Taken
The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.

Adverse Actions Based on Information Obtained From a CRA
If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following:

  • The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.
  • A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.
  • A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days.
  • A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.

Adverse Actions Based on Information Obtained From Third Parties Who Are NotConsumer Reporting Agencies 
If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer’s written request.

Adverse Actions Based on Information Obtained From Affiliates
If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.

Users Have Obligations When Fraud and Active Duty Military Alerts are in Files
When a consumer has placed a fraud alert, including one relating to identify theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert.

Users Have Obligations When Notified of an Address Discrepancy
Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed. Federal regulations are available at www.consumerfinance.gov/learnmore.

Users Have Obligations When Disposing of Records
Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. Federal regulations have been issued that cover disposal.

CREDITORS MUST MAKE ADDITIONAL DISCLOSURES
If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the Consumer Financial Protection Bureau. Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan Applicant”). III. OBLIGATIONS OF USERS WHEN CONSUMER REPORTS ARE OBTAINED FOR EMPLOYMENT PURPOSES

Employment Other Than in the Trucking Industry
If the information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:

  • Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.
  • Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.
  • Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer
  • Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of consumer’s rights. (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken

An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2) The procedures for investigative consumer reports and employee misconduct investigations are set forth below.

Employment in the Trucking Industry
Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.

OBLIGATIONS WHEN INVESTIGATIVE CONSUMER REPORTS ARE USED
Investigative consumer reports are a special type of consumer report in which information about a consumer’s character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:

  • The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)
  • The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure described below.
  • Upon the written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.

SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONS
Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.

OBLIGATIONS OF USERS OF MEDICAL INFORMATION
Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or a permitted by statute, regulation, or order). VII. OBLIGATIONS OF USERS OF “PRESCREENED” LISTSThe FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(1), 604(c), 604(e), and 614(d). This practice is known as “prescreening” and typically involves obtaining a list of consumers from a CRA who meet certain pre-established criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:

  • Information contained in a consumer’s CRA file was used in connection with the transaction.
  • The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.
  • Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral.
  • The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system.

In addition, the Consumer Financial Protection Bureau has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The relevant regulation is 12 CFR 1022.54. VIII. OBLIGATIONS OF RESELLERS

Disclosure and Certification Requirements
Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:

  • Disclose the identity of the end-user to the source CRA.
  • Identify to the source CRA each permissible purpose for which the report will be furnished to the end-user.
  • Establish and follow reasonable procedures to ensure that reports are resold only for permissible purposes, including procedures to obtain:

(1) the identify of all end-users; (2) certifications from all users of each purpose for which reports will be used; and (3) certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this information before selling the report.

Reinvestigations by Resellers
Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to the consumer.

Fraud Alerts and Resellers
Section 605A(f) requires resellers who receive fraud alerts or active duty alerts from another consumer reporting agency to include these in their reports.

LIABILITY FOR VIOLATIONS OF THE FCRA
Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619. The Bureau of Consumer Financial Protection’s website, www.consumerfinance.gov/learnmore, has more information about the FCRA, including publications for businesses and the full text of the FCRA. [77 FR 67754, Nov. 14, 2012]


Exhibit B

Para información en español, visite www.consumerfinance.gov/learnmore o escribe al Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552. 

A Summary of Your Rights Under the Fair Credit Reporting Act

The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Here is a summary of your major rights under the FCRA. For more information, including information about additional rights, go to www.consumerfinance.gov/learnmore or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.

You must be told if information in your file has been used against you. Anyone who uses a credit report or another type of consumer report to deny your application for credit, insurance, or employment – or to take another adverse action against you – must tell you, and must give you the name, address, and phone number of the agency that provided the information.

You have the right to know what is in your file. You may request and obtain all the information about you in the files of a consumer reporting agency (your “file disclosure”). You will be required to provide proper identification, which may include your Social Security number. In many cases, the disclosure will be free. You are entitled to a free file disclosure if:

  • a person has taken adverse action against you because of information in your credit report;
  • you are the victim of identity theft and place a fraud alert in your file;
  • your file contains inaccurate information as a result of fraud;
  • you are on public assistance;
  • you are unemployed but expect to apply for employment within 60 days.In addition, all consumers are entitled to one free disclosure every 12 months upon request from each nationwide credit bureau and from nationwide specialty consumer reporting agencies. See www.consumerfinance.gov/learnmore for additional information.

You have the right to ask for a credit score. Credit scores are numerical summaries of your credit-worthiness based on information from credit bureaus. You may request a credit score from consumer reporting agencies that create scores or distribute scores used in residential real property loans, but you will have to pay for it. In some mortgage transactions, you will receive credit score information for free from the mortgage lender.

You have the right to dispute incomplete or inaccurate information. If you identify information in your file that is incomplete or inaccurate, and report it to the consumer reporting agency, the agency must investigate unless your dispute is frivolous. See www.consumerfinance.gov/learnmore for an explanation of dispute procedures.

Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information. Inaccurate, incomplete or unverifiable information must be removed or corrected, usually within 30 days. However, a consumer reporting agency may continue to report information it has verified as accurate.

Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than seven years old, or bankruptcies that are more than 10 years old.

Access to your file is limited. A consumer reporting agency may provide information about you only to people with a valid need — usually to consider an application with a creditor, insurer, employer, landlord, or other business. The FCRA specifies those with a valid need for access.

You must give your consent for reports to be provided to employers. A consumer reporting agency may not give out information about you to your employer, or a potential employer, without your written consent given to the employer. Written consent generally is not required in the trucking industry. For more information, go to www.consumerfinance.gov/learnmore.

You may limit “prescreened” offers of credit and insurance you get based on information in your credit report. Unsolicited “prescreened” offers for credit and insurance must include a toll-free phone number you can call if you choose to remove your name and address from the lists these offers are based on. You may opt out with the nationwide credit bureaus at 1-888-5-OPTOUT (1-888-567-8688).

You may seek damages from violators. If a consumer reporting agency, or, in some cases, a user of consumer reports or a furnisher of information to a consumer reporting agency violates the FCRA, you may be able to sue in state or federal court.

Identity theft victims and active duty military personnel have additional rights. For more information, visit www.consumerfinance.gov/learnmore.

States may enforce the FCRA, and many states have their own consumer reporting laws. In some cases, you may have more rights under state law. For more information, contact your state or local consumer protection agency or your state Attorney General. For information about your federal rights, contact:

TYPE OF BUSINESS: CONTACT:
1.a. Banks, savings associations, and credit unions with total assets of over $10 billion and their affiliates b. Such affiliates that are not banks, savings associations, or credit unions also should list, in addition to the CFPB: “a. Consumer Financial Protection Bureau 1700 G. Street N.W. Washington, DC 20552 b. Federal Trade Commission: Consumer Response Center – FCRA Washington, DC 20580- (877) 382-4357
 
2. To the extent not included in item 1 above: a. National banks, federal savings associations, and federal branches and federal agencies of foreign banks b. State member banks, branches and agencies of foreign banks (other than federal branches, federal agencies, and Insured State Branches of Foreign Banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act c. Nonmember Insured Banks, Insured State Branches of Foreign Banks, and insured state savings associations d. Federal Credit Unions a. Office of the Comptroller of the Currency Customer Assistance Group 1301 McKinney Street, Suite 3450 Houston, TX 77010-9050 b. Federal Reserve Consumer Help Center P.O. Box. 1200 Minneapolis, MN 55480 c. FDIC Consumer Response Center 1100 Walnut Street, Box #11 Kansas City, MO 64106 d. National Credit Union Administration Office of Consumer Protection (OCP) Division of Consumer Compliance and Outreach (DCCO) 1775 Duke Street Alexandria, VA 22314
3. Air carriers Asst. General Counsel for Aviation Enforcement & Proceedings Aviation Consumer Protection Division Department of Transportation 1200 New Jersey Avenue, S.E. Washington, DC 20423
4. Creditors Subject to the Surface Transportation Board Office of Proceedings, Surface Transportation Board Department of Transportation 395 E Street, S.W. Washington, DC 20423
5. Creditors Subject to the Packers and Stockyards Act, 1921 Nearest Packers and Stockyards Administration area supervisor
6. Small Business Investment Companies Associate Deputy Administrator for Capital Access United States Small Business Administration 409 Third Street, S.W., 8th Floor Washington, DC 20549 7. Brokers and Dealers Securities and Exchange C
7. Brokers and Dealers “Securities and Exchange Commission 100 F Street, N.E. Washington, DC 20549
 
8. Federal Land Banks, Federal Lank Bank Associations, Federal Intermediate Credit Banks, and Production Credit Associations Farm Credit Administration 1501 Farm Credit Drive McLean, VA 22102-5090
9. Retailers, Finance Companies, and All Other Creditors Not Listed Above FTC Regional Office for region in which the creditor operates or Federal Trade Commission: Consumer Response Center – FCRA Washington, DC 20580 (877) 382-4357